[Samba] idmap problems
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 8 10:56:10 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: dinsdag 8 januari 2019 11:13
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] idmap problems
>
> On Tue, 8 Jan 2019 10:36:49 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > Hai,
> >
> > I still dont understand the fuss about "domain admins" and no GID
> > because im running this for 3 years now. So... Again what was the
> > problem here, i dont remember it.. (sorry)
>
> The problem is that you use Administrators instead of Domain Admins, which, if you think about it, is the same as using another group instead of Domain Admins.
No, thats not the problem.. Im using it as Windows designed it by default.
Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\Domain admins is member of Builtin\Adminsitrators
Now your idee..
Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\ANY group but is not default a member of Builtin\Adminsitrators
Go here
https://docs.microsoft.com/nl-nl/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory#appendix-b-privileged-accounts-and-groups-in-active-directory-1
Checkout
Table B-1: User Rights and Privileges
Table B-1: Built-in and Default Accounts and Groups in Active Directory
The importent parts are the "Direct user rights" and "Inherited user rights."
That might help you understanding what im trying to say.
My setup is a set as close as possible to a windows domain setup.
Im thinking in ..
ADDC-server
BUILTIN <-> NTDOM <-> Workstations/users
Not ADDC-server
NTDOM <-> Workstations/users ( the reflex more to a member server )
And not ADDC-server
BUILTIN <-> Workstations/users ( this reflex more to a standalone server )
Greet,
Louis
More information about the samba
mailing list