[Samba] Automatically assigning uidNumber / gidNumber attributes

Jonathon Reinhart jonathon.reinhart at gmail.com
Fri Jun 14 05:14:42 UTC 2019


> Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user.

I looked on a brand new test DC (with nss-winbind), and it looks like
it doesn't work right with winbind:

root at dc1# ls -l /var/lib/samba/sysvol/ad-test.vx/Policies/
total 16
drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41
{6AC1786C-016F-11D2-945F-00C04FB984F9}

root at dc1# wbinfo --gid-info 3000004
ADTEST\domain admins:x:3000004:
root at dc1# wbinfo --uid-info 3000004
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000004


root at dc1# smbcacls -k //dc1/sysvol
ad-test.vx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
REVISION:1
CONTROL:SR|PD|DP
OWNER:ADTEST\Domain Admins
GROUP:ADTEST\Domain Admins
ACL:ADTEST\Domain Admins:ALLOWED/OI|CI/FULL
ACL:ADTEST\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:ADTEST\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ



On Tue, Jun 11, 2019 at 4:58 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 11/06/2019 09:41, Christian via samba wrote:
> > Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
> >> On 07/06/2019 16:37, Łukasz Michalski via samba wrote:
> >>> On 05.06.2019 22:40, Rowland penny via samba wrote:
> >>>>> https://lists.samba.org/archive/samba/2019-June/223478.html
> >>>>> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
> >>>>> gidNumber attribute."
> >>>> Domain Admins is a group that must own files in Sysvol. Samba runs
> >>>> on Unix and groups cannot own files on Unix, so Domain Admins is
> >>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain
> >>>> Admins a group and a user. If you give Domain Admins a gidNumber
> >>>> attribute, it becomes just a group and cannot own files.
> >>> Now I am confused. Reading "Adding a share" on domain member here:
> >>>
> >>> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
> >>>
> >>>
> >>> If with idmap-ad I do not set gidNumber to Domain Admins I will not
> >>> be able to chown to that group?
> >>>
> >>> Is it better to create other administrative group for managing file
> >>> permissions?
> >>>
> >>> Regards,
> >>> Łukasz
> >>>
> >>>
> >> OK, I will add something to that page :)
> >>
> >> Domain Admins needs to own files in Sysvol, Domain Admins is a group
> >> and groups cannot own files on Unix. To counter this, Domain Admins is
> >> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a
> >> user. If you give  Domain Admins a gidNumber, it breaks this mapping
> >> and it just becomes a group and, as I said, groups cannot own files on
> >> Unix ;-)
> >>
> >> I personally create a group called 'Unix Admins', give this group a
> >> gidNumber and make it a member of the 'Administrators' group.
> >>
> >> If you use the 'rid' backend, then you do not need to do anything.
> > Rowland,
> >
> > this discussion was very useful to me and not obvious at all from the
> > existing documentation. Having recently assigned a uidNumber to
> > Administrator and a gidNumber to Domain Admins, how would I undo this?
> > ldbmodify and just remove the entries? Anything I need to change on the
> > two dcs? The permissions on the shares of the member servers are still
> > easily fixed at this point. Not sure about our print server with driver
> > download, though... Thanks,
> >
> > Christian
> >
> >
> Yes, the easiest way would be to use ldbmodify to delete the u/gidNumber
> attributes and provided you haven't deleted anything from idmap.ldb,
> they should go back to their original 'xidNumbers', though you will
> probably have to run 'net cache flush' on all Unix domain members.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list