[Samba] idmap problems

Rob Mason rob at acasta.co.uk
Fri Jan 4 11:48:56 UTC 2019 

<snip>

> > > I do hope you are not thinking of using GPO's, you have just stopped
> > 
> > > Domain Admins from owning things in Sysvol.
> > 
> > >
> > 
> > > Rowland
> > 
> > <facepalm/> Thanks Rowland - you must be getting pretty tired of my
> > dumb questions...  
>
> The only dumb question is the one you do not ask ;-)
> If unsure, ask. It is easier to fix something before a mistake is made.
>

:)

> >The current GPO's are not critical (fortunately).
> > Should I remove the Domain Admin gid and chgrp the ownership of the
> > original directories back to 3000008 (original Domain Admin)?
>
> Removing the gidNumber attribute should be enough, but as you say,
> there is always chgrp.
>
> > suspect the alternative is not a simple as chgrp'ing sysvol to the
> > new Domain Admin gid? Or is the damage done....
>
> samba-tool ntacl sysvolreset

Thanks.  Is the reset based on the mapped gid or the original 3000008 (original Domain Admin)? I assume it's the latter.

Is there a reason why I shouldn't map Domain Admins to a gid of 3000008 to match its current un-mapped default value on the ADC? I understand I would need to add 'idmap config SAMDOM:range = 30000-3000999' to my member server smb.conf.   Presumably this wouldn't impact sysvol, and, it would allow me to use the DA account on the member server(s).

>
> > 
> > Given the original age of this domain, and relatively small size, I
> > am considering starting afresh. I was originally trying to avoid
> > having to re-register the workstation community. This now feels like
> > the better option.
>
> Setting up a new AD domain is, in my opinion, a better idea, you can
> start without the old ways of doing things e.g. not starting the ID's
> from '500'.

I'm not sure I understand what you mean by starting from 500? I couldn't find the current recommended starting point in the wiki, other than if using the old ADUC ("...By default, ADUC starts assigning UID and GID numbers at 10000...". Would this be a good starting point for a new domain?

>  
> > 
> > As an aside, how do folks track domain uids/gids now that the new
> > RSAT tools don't provide NIS??
>
> Even though RSAT on Windows 10 no longer comes with the Unix
> Attributes tab, all the required attributes are still available in
> Samba AD, you just need to write scripts to use them.
>
> Rowland
>
>

I appreciate your help!

Rob

More information about the samba mailing list