I'm using the AD ID mapping, so I manually give all my users and groups their respective uidNumbers and gidNumbers. I created a group of the type "security" with the scope "global" and added some users to it, then I gave full control permission to said group to certain files on a member server. However, the members from this group still can only read those files. Which is weird, since if I check the effective permissions from within Windows, it is being confirmed that there should be full control. So, windows believes that I should have full permission but it's not true. So there must be something weird going on the Linux side, and I'm a bit lost right now. First of all, I gave this particular group the gidNumber 10004, but when I type "getent group groupname" on the DC, I get some high number such as 3000049. The same happens for "domain admins" while "domain users" shows the correct gidNumber. I might know the reason for this: I created the former two groups a while ago without giving them an ID - I did so only later, when I noticed that I forgot to give them an ID. Is this problematic? I didn't notice any problems with the domain admins group, though there's only one Admin. But the other group is clearly showing this issue. What can I do to solve this? Secondly, does it matter that "getent passwd username" will return just the domain users group in the group field, but not the additional group the user is part of? Should I maybe just delete the group, then recreate it and give it the correct attributes from the start? What kind of impact will this have on the shares where the deleted group had permissions, will those be automatically deleted too and, if not, is it necessary to first remove all permissions this group has? Any good advice appreciated.
On 14/12/15 02:15, Viktor Trojanovic wrote:> I'm using the AD ID mapping, so I manually give all my users and > groups their respective uidNumbers and gidNumbers. > > I created a group of the type "security" with the scope "global" and > added some users to it, then I gave full control permission to said > group to certain files on a member server. > > However, the members from this group still can only read those files. > Which is weird, since if I check the effective permissions from within > Windows, it is being confirmed that there should be full control. So, > windows believes that I should have full permission but it's not true. > > So there must be something weird going on the Linux side, and I'm a > bit lost right now. > > First of all, I gave this particular group the gidNumber 10004, but > when I type "getent group groupname" on the DC, I get some high number > such as 3000049. The same happens for "domain admins" while "domain > users" shows the correct gidNumber.Is this on a DC ?> > I might know the reason for this: I created the former two groups a > while ago without giving them an ID - I did so only later, when I > noticed that I forgot to give them an ID. Is this problematic? I > didn't notice any problems with the domain admins group, though > there's only one Admin. But the other group is clearly showing this > issue. What can I do to solve this?What do you mean by 'I created the former two groups a while ago' , the two groups should already exist in AD.> > Secondly, does it matter that "getent passwd username" will return > just the domain users group in the group field, but not the additional > group the user is part of?No, winbind returns the users primary group and this is always Domain Users, unless you change it, not that I recommend doing this.> > Should I maybe just delete the group, then recreate it and give it the > correct attributes from the start? What kind of impact will this have > on the shares where the deleted group had permissions, will those be > automatically deleted too and, if not, is it necessary to first remove > all permissions this group has?What group are you suggesting deleting ? If Domain Users/Admins, then don't, if it is a group you created (and no you didn't create domain users) then it probably won't help. Can you post a bit more info, What OS, your smb.conf etc. Rowland> > Any good advice appreciated. >
On 14.12.2015 10:27, Rowland penny wrote:> On 14/12/15 02:15, Viktor Trojanovic wrote: >> I'm using the AD ID mapping, so I manually give all my users and >> groups their respective uidNumbers and gidNumbers. >> >> I created a group of the type "security" with the scope "global" and >> added some users to it, then I gave full control permission to said >> group to certain files on a member server. >> >> However, the members from this group still can only read those files. >> Which is weird, since if I check the effective permissions from within >> Windows, it is being confirmed that there should be full control. So, >> windows believes that I should have full permission but it's not true. >> >> So there must be something weird going on the Linux side, and I'm a >> bit lost right now. >> >> First of all, I gave this particular group the gidNumber 10004, but >> when I type "getent group groupname" on the DC, I get some high number >> such as 3000049. The same happens for "domain admins" while "domain >> users" shows the correct gidNumber. > > Is this on a DC ? >Yes. But I get the same result on the file server.>> >> I might know the reason for this: I created the former two groups a >> while ago without giving them an ID - I did so only later, when I >> noticed that I forgot to give them an ID. Is this problematic? I >> didn't notice any problems with the domain admins group, though >> there's only one Admin. But the other group is clearly showing this >> issue. What can I do to solve this? > > What do you mean by 'I created the former two groups a while ago' , > the two groups should already exist in AD. >I meant the one security group I created manually. With domain admins, I meant that I didn't give it a gidNumber for a long time.>> >> Secondly, does it matter that "getent passwd username" will return >> just the domain users group in the group field, but not the additional >> group the user is part of? > > No, winbind returns the users primary group and this is always Domain > Users, unless you change it, not that I recommend doing this. >OK, understood.>> >> Should I maybe just delete the group, then recreate it and give it the >> correct attributes from the start? What kind of impact will this have >> on the shares where the deleted group had permissions, will those be >> automatically deleted too and, if not, is it necessary to first remove >> all permissions this group has? > > What group are you suggesting deleting ? If Domain Users/Admins, then > don't, if it is a group you created (and no you didn't create domain > users) then it probably won't help. > > Can you post a bit more info, What OS, your smb.conf etc. > > Rowland >I solved the problem in the meantime. It seems that the issue wasn't with the group but somehow, and I really wish to understand how though that's hardly a Samba topic, the computer account seems to have become "rogue". After I reset the computer account from ADUC and rejoined the domain, all worked fine again. Having said that, I'm still wondering if it can become a problem down the road that getent returns the wrong group number. Specifically, what happens if I, from Windows, give permission to a user or group to a Samba share without having created uidNumber and gidNumber attributes, and then create them after the fact? Can this create inconsistencies?