[Samba] More on sysvol maintenance

Rowland Penny rpenny at samba.org
Wed May 24 21:14:21 UTC 2023 


On 24/05/2023 16:48, Luis Peromarta wrote:
> I never got this right… :(
> 
> Which option is safer ? This is a production environment. All users and 
> groups have bid / guid numbers.
> 
> Will removing guid from domain admins break anything else ? 

I take it that by guid, you actually mean gidNumber, a guid is something 
else entirely.


> I use my own 
> username mad\Luis (domain admin) to do stuff  on the domain and member 
> servers. Most shares have full permission for domain admins. Will this 
> break anything?
> 
> I also never got to  properly work the user.map as in
> 
> username map = /usr/local/samba/etc/user.map
> 
> With content
> 
> !root = SAMDOM\Administrator

That should work on a Unix domain member, unless you have given 
Administrator a uidNumber attribute.

> 
> Is this needed for DCs also ?

No, something similar is done in idmap.ldb

Lets see if I can explain it a bit better :-)

Users and groups in AD are unknown to Unix, which is where Samba comes 
in. Samba allows you to map AD users and groups to Unix users and 
groups. You can do this globally by using the 'ad' backend on Unix 
domain members, which requires adding uidNumber and gidNumber attributes 
to AD. Or you can use the rid or autorid idmap backends, which don't 
require adding anything to AD.

The problem with using the 'ad' backend is that there is another backend 
that is used on a DC: idmap.ldb. If you do add uidNumber and gidNumber 
attributes to AD, then these will override the xidNumber attributes in 
idmap.ldb and for most things, this will not be a problem, except for 
the groups in idmap.ldb that are also ID_TYPE_BOTH. Being ID_TYPE_BOTH 
means that a group is also a user (as far as Unix is concerned) and can 
own files and directories, one of these groups is Domain Admins.

If Domain Admins isn't both a group and a user, it cannot own anything 
in sysvol and the group needs to.

As I said, two ways around this, do not set 'idmap_ldb:use rfc2307 = 
yes' in the DC's smb.conf and the gidNumber attributes will be ignored. 
Or do not give Domain Admins a gidNumber and create another group to use 
on Unix instead of Domain Admins.

Rowland

More information about the samba mailing list