[Samba] Winbind problems

Rowland penny rpenny at samba.org
Tue Feb 11 16:36:48 UTC 2020 

On 11/02/2020 15:19, Marcio Demetrio Bacci wrote:
> Hi Rowland
>
> My two DC are Samba 4 on Debian. I  haven't Windows DC.
>
> >Hi Marcio, the ACLs should be copied, so I think it is likely to be 
> a permissions problem, does the user who is running robocopy have 
> the SeDiskOperatorPrivilege on the computer you are copying to ?
>
> I'm running robocopy with my domain admin user (marcio) and he is in 
> the Domain Admin group with all privileges:
>
> root at filserver:~# net rpc rights list privileges 
> SeDiskOperatorPrivilege -U "EMPRESA\administrator"
> Enter EMPRESA\administrator's password:
> SeDiskOperatorPrivilege:
>   EMPRESA\Domain Admins
>   BUILTIN\Administrators
>
> root at filserver:~# net rpc rights list privileges 
> SeDiskOperatorPrivilege -U "EMPRESA\marcio"
> Enter EMPRESA\marcio's password:
> SeDiskOperatorPrivilege:
>   EMPRESA\Domain Admins
>   BUILTIN\Administrators
>
> root at filserver:~# getent passwd marcio
> marcio:*:10007:10006:Marcio:/home/marcio:/bin/sh
>
> root at filserver:~# getent passwd administrator
> administrator:*:10010:10006:Rede:/home/Administrator:/bin/sh
>
> root at filserver:~# getent group "Domain Admins"
> domain admins:x:10006:
>
>
> I didn't create a Unix Admin group and I added a gidNumber attribute 
> to the Domain Admins group. Is it correct or I need to create a Unix 
> Admin group?
>
Do you use GPOs ?

If you do, then you should be aware that the Domain Admins group owns 
folders in Sysvol.

Windows allows groups to own folders & files, Unix doesn't, only a user 
can own folders & files.

If you check in idmap.ldb, you will find that Domain Admins has the type 
'ID_TYPE_BOTH', this means that it is both a group and a user.

root at dc4:~# getent passwd Domain\ Admins
SAMDOM\domain admins:*:3000010:3000010::/home/SAMDOM/users/domain 
admins:/bin/bash
root at dc4:~# getent group Domain\ Admins
SAMDOM\domain admins:x:3000010:

This means that it can own folders and files

However, if you give Domain Admins a gidNumber, it just becomes a group 
and can no longer own folders and files.

I am not saying this is your problem, but it is something worth trying

Rowland

More information about the samba mailing list