[Samba] idmap problems

L.P.H. van Belle belle at bazuin.nl
Tue Jan 8 10:56:10 UTC 2019


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 8 januari 2019 11:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] idmap problems
> 
> On Tue, 8 Jan 2019 10:36:49 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai, 
> > 
> > I still dont understand the fuss about "domain admins" and no GID
> > because im running this for 3 years now. So... Again what was the
> > problem here, i dont remember it.. (sorry) 
> 
> The problem is that you use Administrators instead of Domain Admins, which, if you think about it, is the same as using another group instead of Domain Admins.
No, thats not the problem..  Im using it as Windows designed it by default.  

Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\Domain admins is member of Builtin\Adminsitrators

Now your idee.. 
Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\ANY group but is not default a member of Builtin\Adminsitrators

Go here 
https://docs.microsoft.com/nl-nl/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory#appendix-b-privileged-accounts-and-groups-in-active-directory-1

Checkout 
Table B-1: User Rights and Privileges 
Table B-1: Built-in and Default Accounts and Groups in Active Directory 
The importent parts are the "Direct user rights" and "Inherited user rights."

That might help you understanding what im trying to say. 
My setup is a set as close as possible to a windows domain setup. 
Im thinking in .. 

ADDC-server
BUILTIN <-> NTDOM <-> Workstations/users 

Not ADDC-server
NTDOM <-> Workstations/users 	( the reflex more to a member server ) 
And not ADDC-server
BUILTIN <-> Workstations/users ( this reflex more to a standalone server )


Greet,

Louis




More information about the samba mailing list