[Samba] idmap problems

L.P.H. van Belle belle at bazuin.nl
Tue Jan 8 09:36:49 UTC 2019 

Hai, 

I still dont understand the fuss about "domain admins" and no GID because im running this for 3 years now. 
So... Again what was the problem here, i dont remember it.. (sorry) 

In my opinion, the problem is not "domain admins", the problem is Administrator. 
And because if that you need an other "administrator user",  that is a copy of Administrator its settings. 
AND this user must have a UID but thats my vision about this problem. 

I'll tell why this is my vision on the problem. 
idmapping these 2. 
DOMAIN
BUILTIN 

And the diversity of options in setting up and different samba versions..  
Which is the main problem in my opinion. 
There should not be any "DOMAIN ADMINS" on sysvol. Simple as that. 

This is a sysvol default : 
( this might be a bit off, but as example ) 
NT AUTHORITY\Authenticated Users:(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE)
BUILTIN\Server Operators:(RX)
BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE)
BUILTIN\Administrators:(M,WDAC,WO)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M,WDAC,WO)
CREATOR OWNER:(OI)(CI)(IO)(F)

Where is domain admins, its not there, why... Because "domain admins" is member of :  BUILTIN\Administrators 

> 
> <snip>
> 
> Hi Rowland - I've spent the past few days going over the wiki 
> and mailing lists. I think I've got the hang of idmaps. May I 
> clarify a couple of things:
> 
> ~ I have two DC's and one large fileserver (member). I'm using the 'ad' backend.
> ~ The only only windows group that needs a gidNumber attribute is Domain Users to map this across to the member server.
This depends all on you need. 
My domain admins..  : 
getent group "domain admins"
domain admins:x:10001:administrator,otherADMINuser
getent group "domain users"
domain users:x:10000:..(removed) 
getent group "domain guests"
domain guests:x:10002:guest

> ~ Other standard domain groups shouldn't be mapped across, especially Domain Admins(!) due to e.g.  sysvol  ownership
This not a problem, if configured correctly, but you just cant use users ADMINISTRATOR to set things here. 
It must be OtherAdmin 

> ~ I may add my own domain user/group to the DC's and add uid/gid to the attributes (avoiding overlapping ranges between domains, and avoiding the standard xid 3000000 range for builtin accounts).
> ~ I use the idmap parameters in smb.conf on the member server to map the newly added users/groups across to the member server
> 
> I think this is correct and my domain seems healthy. All good!.
All good as far i can see. 

> 
> My one remaining question concerns examples presented in the wiki - they routinely use 'Domain Admin' as an example for aspects such as setting up shares and permissions. 
> I think this is where I have become unstuck in the past. If I setup the domain as per my understanding, Domain Admins cannot be used as in the example given in 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs because its gid is not mapped (and should not typically be mapped).
This depends, in your example, you run AD backend. If you set 1 member with RID, then sure works fine. 
This: 
# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 0770 /srv/samba/Demo/

Might be better shown as : 
# chown root:"Domain Admins" /srv/samba/Demo/
# chmod 1770 /srv/samba/Demo/
Or even better 
# chown otherAdmin:"Domain Admins" /srv/samba/Demo/
# chmod 3770 /srv/samba/Demo/

Why chmod 1770 (or 3770) 
It adds creator owner and creator group to the windows ACL. 
1XXX creator owner
2XXX creator group
3XXX  creator owner and creator group

But again this also depends on how you setup and what you want to run. 
Think in, you have 1000 options and 3 are perfect for you. 
Think ahead what you want todo with samba and how you want to use is, this is very important. 
For example, i want adding samba AD to my kodi machine, didnt think about anything.. 
Resulted in, running samba standalone with guest shares again...  :-/ 
Why, i did not think about the setup first.


> 
> You gave me some good alternative advice, which I have used 
> in my new domain, to create new admin groups that are members 
> of Domain Admins. These new admin groups are given gids, and 
> all is good. But I can't help thinking that example in the 
> wiki is mis-leading?? It seems that anyone who follows this 
> example with a member server will experience the gid mapping issues...
> 
> BTW - just wanted to offer a huge thanks for helping me out with this.
> 
> 
> --
> Rob Mason
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 

Greetz, 

Louis

More information about the samba mailing list