[Samba] Automatically assigning uidNumber / gidNumber attributes
Rowland penny
rpenny at samba.org
Fri Jun 14 08:14:05 UTC 2019
On 14/06/2019 06:14, Jonathon Reinhart wrote:
>> Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group and a user.
> I looked on a brand new test DC (with nss-winbind), and it looks like
> it doesn't work right with winbind:
>
> root at dc1# ls -l /var/lib/samba/sysvol/ad-test.vx/Policies/
> total 16
> drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> root at dc1# wbinfo --gid-info 3000004
> ADTEST\domain admins:x:3000004:
> root at dc1# wbinfo --uid-info 3000004
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 3000004
>
>
> root at dc1# smbcacls -k //dc1/sysvol
> ad-test.vx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> REVISION:1
> CONTROL:SR|PD|DP
> OWNER:ADTEST\Domain Admins
> GROUP:ADTEST\Domain Admins
> ACL:ADTEST\Domain Admins:ALLOWED/OI|CI/FULL
> ACL:ADTEST\Enterprise Admins:ALLOWED/OI|CI/FULL
> ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
> ACL:ADTEST\Domain Admins:ALLOWED/OI|CI/FULL
> ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
> ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
> ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
>
Try adding another GPO, this is when Domain Admins starts owning things
in Sysvol and you will not see 'Domain Admins', you will see its xidNumber.
Rowland
More information about the samba
mailing list