[Samba] More on sysvol maintenance

Thu May 25 19:21:21 UTC 2023

Okay here we go again. This is what I’ve done.

1.- Created Unix Admins groups
2.- Remove gidNumber from Domain Admins group (10007)
3.- Add gidNumber 10007 to Unix Admins
4.- Add Unix Admins to Domain admins group
5.- Add me MAD\Luis to Unix Admins. I am also into Domain Admins group.

I understand on the unix side of the member server, wherever before I read Domain Admins, I will now read Unix Admins - no other damage done.

On DC2, I was now able to run sysvolreset, all GPOs now are (no errors after sysvolreset and no output from sysvolcheck)

8.0K drwxrwx---+  4 root              BUILTIN\administrators 4.0K Nov  7  2022 ..
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Apr 15 22:34 {0491EEAA-BF8A-43BE-98CA-72128C7EC0EA}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {06D5E045-DF21-45AA-962A-41CB3F665FCC}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {0723DCE9-C915-492A-9423-104BE034BCEF}
8.0K drwxrwx---+  5 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {0769489D-FC31-4244-AB87-4EE2C4E20CCC}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {0A529EA3-06B6-4FE1-BC51-AB793E6A4523}
8.0K drwxrwx---+  5 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {1111C19B-0CB9-4BA9-BFF1-3648F3862F93}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {31B2F340-016D-11D2-945F-00C04FB984F9}
8.0K drwxrwx---+  5 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {3548966F-440A-43D9-B05E-E681AD3B58F9}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {3B09CD87-EF3C-4959-A8E8-C82B95FB5148}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {69F60D78-F2EF-41F5-863A-4B7698D939BA}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {6AC1786C-016F-11D2-945F-00C04FB984F9}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {78ADF699-01E8-4F99-84B4-7EB4430E7105}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {790FBA77-CE1A-4B93-B66B-2A97880DE31D}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {90D103E0-3AA7-4A18-8E51-501F73658A1C}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  7  2022 {B0AC4C94-9949-4FC2-8F54-CAADFDAD95D4}
8.0K drwxrwx---+  5 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {B2250B1E-DDCC-4267-9816-D115CCF24735}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {B7D7E89E-002B-4FCB-80F8-534C2976483C}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Apr 15 22:10 {BE3B49C3-C557-4B1B-8B12-A1023D12D9D7}
8.0K drwxrwx---+  5 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {CA510ED6-934C-47FC-B81D-6942A39D3DE6}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {D2B5681B-E6B8-4B00-AF76-D81477BD19A6}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov  4  2022 {E285AB09-81A3-4AC8-9195-434B56F22D60}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Nov 28 11:20 {EB06228D-84E1-456F-8F88-06A36EA3EB4D}
8.0K drwxrwx---+  4 MAD\domain admins MAD\domain admins      4.0K Feb  1 17:13 {EC8AFE87-C57A-4AE7-A9FC-8A82CB8745DA}

Just as it should probably be.

Sysvol permissions :

./sysvol:
total 20K
8.0K drwxrwx---+  3 root BUILTIN\administrators 4.0K May 25 21:05 .
4.0K drwxr-xr-x  10 root root                   4.0K May 25 20:40 ..
8.0K drwxrwx---+  4 root BUILTIN\administrators 4.0K Nov  7  2022 mad.mater.int

./sysvol/mad.mater.int:
total 32K
8.0K drwxrwx---+  4 root BUILTIN\administrators 4.0K Nov  7  2022 .
8.0K drwxrwx---+  3 root BUILTIN\administrators 4.0K May 25 21:05 ..
8.0K drwxrwx---+ 27 root BUILTIN\administrators 4.0K May 25 20:56 Policies
8.0K drwxrwx---+  2 root BUILTIN\administrators 4.0K Nov  4  2022 scripts

Are these right ?

I still can not change share permissions on the sysvol from Windows via computer manager. I get a permission denied.

All the best,
On 24 May 2023 at 23:15 +0200, Rowland Penny via samba <samba at lists.samba.org>, wrote:
>
>
> On 24/05/2023 16:48, Luis Peromarta wrote:
> > I never got this right… :(
> >
> > Which option is safer ? This is a production environment. All users and
> > groups have bid / guid numbers.
> >
> > Will removing guid from domain admins break anything else ?
>
> I take it that by guid, you actually mean gidNumber, a guid is something
> else entirely.
>
>
> > I use my own
> > username mad\Luis (domain admin) to do stuff  on the domain and member
> > servers. Most shares have full permission for domain admins. Will this
> > break anything?
> >
> > I also never got to  properly work the user.map as in
> >
> > username map = /usr/local/samba/etc/user.map
> >
> > With content
> >
> > !root = SAMDOM\Administrator
>
> That should work on a Unix domain member, unless you have given
> Administrator a uidNumber attribute.
>
> >
> > Is this needed for DCs also ?
>
> No, something similar is done in idmap.ldb
>
> Lets see if I can explain it a bit better :-)
>
> Users and groups in AD are unknown to Unix, which is where Samba comes
> in. Samba allows you to map AD users and groups to Unix users and
> groups. You can do this globally by using the 'ad' backend on Unix
> domain members, which requires adding uidNumber and gidNumber attributes
> to AD. Or you can use the rid or autorid idmap backends, which don't
> require adding anything to AD.
>
> The problem with using the 'ad' backend is that there is another backend
> that is used on a DC: idmap.ldb. If you do add uidNumber and gidNumber
> attributes to AD, then these will override the xidNumber attributes in
> idmap.ldb and for most things, this will not be a problem, except for
> the groups in idmap.ldb that are also ID_TYPE_BOTH. Being ID_TYPE_BOTH
> means that a group is also a user (as far as Unix is concerned) and can
> own files and directories, one of these groups is Domain Admins.
>
> If Domain Admins isn't both a group and a user, it cannot own anything
> in sysvol and the group needs to.
>
> As I said, two ways around this, do not set 'idmap_ldb:use rfc2307 =
> yes' in the DC's smb.conf and the gidNumber attributes will be ignored.
> Or do not give Domain Admins a gidNumber and create another group to use
> on Unix instead of Domain Admins.
>
>