[Samba] include in smb.conf

Marcio Demetrio Bacci marciobacci at gmail.com
Sun Jun 14 00:03:41 UTC 2020 

Hi Rowland

>Members of usuariosdominio (Domain Users ?) have read and enter/execute
Yes, "usuariosdodominio" are "Domain Users". It is in portuguese (Usuários
do Dominio).

Seeing this link: https://wiki.samba.org/index.php/Sysvolreset

"You should also never give Domain Admins a gidNumber attribute, this turns
the windows group into a Unix group. (You are now probably thinking
'what?', a group is just a group, right ? Well, no, a Windows group can do
something that no Unix group can, it can own files and directories and
guess what needs to own files and directories in sysvol ??)"

I assigned "Domain Admins" group a gidNumber attribute, but after I removed
it.

Do gidNumber is only 'Domain Users" group and custons groups that I create?

Another question, "If you have added any custom GPOs, never ever use
sysvolcheck or sysvolreset ". What would a custom GPO? Does GPO that use a
custons scripts or firefox templates (external tools), for example?

I understand that I have problems with my sysvol. Is correct?

Seeing the suggested script (
https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh)

I had some doubts:

Checking my SID with the wbinfo command, I noticed that the SID of the
Administrator user is different on my DC of the presented in the script:

wbinfo --name-to-sid Administrator
S-1-5-21-1712526294-259020848-313593124-500 SID_USER (1)

the script:
DC_ADMINISTRATORS="S-1-5-32-544"

Will the SIDs of Administrator, SYSTEM, SERVER_OPERATOR and
AUTHENTICATE_USERS users be changed by default (# Some Defaults which
should never change.)?

The script reset sysvol rights based in Win2008R2, but my DC were migrated
of the Windows Server 2008 (it wasn't R2). Is this script appropriate?

In positive case, can I to run the script without modifications?

Regards,

Márcio Bacci

Em sáb., 13 de jun. de 2020 às 15:42, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> On 13/06/2020 14:59, Marcio Demetrio Bacci wrote:
> > getfacl /STORAGE/Usuarios/
>
> That 'getfacl' shows that:
>
> root has full permissions
> Members of unix_admins have full permissions
> Members of usuariosdominio (Domain Users ?) have read and enter/execute
> permissions
> others have no permissions
>
> So the only users that can write to '/STORAGE/Usauarios' are root and
> members of the usuariosdominio group
>
> You could try one of Louis's scripts:
>
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list