[Samba] idmap problems

Rowland Penny rpenny at samba.org
Tue Jan 8 11:59:33 UTC 2019 

On Tue, 8 Jan 2019 12:38:22 +0100
L.P.H. van Belle <belle at bazuin.nl> wrote:

>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: dinsdag 8 januari 2019 12:18
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] idmap problems
> > 
> > On Tue, 8 Jan 2019 11:56:10 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > 
> > > 
> > > > -----Oorspronkelijk bericht-----
> > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > > > Rowland Penny via samba
> > > > Verzonden: dinsdag 8 januari 2019 11:13
> > > > Aan: samba at lists.samba.org
> > > > Onderwerp: Re: [Samba] idmap problems
> > > > 
> > > > On Tue, 8 Jan 2019 10:36:49 +0100
> > > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > > > 
> > > > > Hai, 
> > > > > 
> > > > > I still dont understand the fuss about "domain admins" 
> > and no GID
> > > > > because im running this for 3 years now. So... Again 
> > what was the
> > > > > problem here, i dont remember it.. (sorry) 
> > > > 
> > > > The problem is that you use Administrators instead of Domain
> > > > Admins, which, if you think about it, is the same as using
> > > > another group instead of Domain Admins.
> > > No, thats not the problem..  Im using it as Windows designed it by
> > > default.  
> > 
> > I do not think you are ;-)
> Ow i do think i am, ok, i lost my MCSE certification but i did have
> it. I've designed windows AD's since win2000

I bow to superior knowledge ;-)

> 
> > 
> > > 
> > > Builtin\Adminsitrators != "DOMAIN\Domain Admins" 
> > 
> > That is perfectly obvious.
> > 
> > >and DOM\Domain admins is member of Builtin\Adminsitrators
> > 
> > Again correct
> > 
> > > 
> > > Now your idee.. 
> > > Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\ANY group
> > > but is not default a member of Builtin\Adminsitrators
> > 
> > I am prepared to accept adding DOM\ANY to BUILTIN\Administrators,
> > but is it really any different to adding it to DOMAIN\Domain
> > Admins, when DOMAIN\Domain Admins is a member of
> > BUILTIN\Administrators ?
> In my opinion yes, if you dont add it in "domain admins" you missing
> inhereted rights. 

I thought that an object inherited rights from the object above it
i.e. nested groups
So a group that is a member of Domain Admins would have the same
rights as Administrators, because Domain Admins is a member of
Administrators, or am I missing something ???

Rowland

More information about the samba mailing list