And dont forget :
https://wiki.samba.org/index.php/Idmap_config_ad
I also noticed and incorrect mapping, which "looks" like rights issues
like in the thead here. ( it is imo not a right issue.. ) read on..
NTDOMAIN\enterprise read-only domain controllers:x:3000202:
NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
NTDOMAIN\domain users:x:10000:
NTDOMAIN\domain guests:x:10002:
NTDOMAIN\domain computers:x:10006:
NTDOMAIN\domain controllers:x:3000018:
NTDOMAIN\read-only domain controllers:x:3000203:
Is conflicting with
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000009:
BUILTIN\guests:x:3000015:
BUILTIN\account operators:x:3000185:
BUILTIN\server operators:x:3000001:
Which results in some incorrect mappings.
But if you add : acl_xattr:ignore system acls = yes to the Sysvol share.
!! AND your using the DC's only as DC's. !!
Then this incorrect mapping can be ignored, at least im ignoring it,
since very thing is tested and works fine.
But im thinking of settings a separated range for the BUILDIN
A setup something like :
idmap_ldb:use rfc2307 = yes
## map id's outside to domain to tdb files.
## use for local (linux only ) users
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
## the NTDOMAIN range id mappings
idmap config NTDOMAIN : backend = ad
idmap config NTDOMAIN : schema_mode = rfc2307
idmap config NTDOMAIN : range = 10000-2999999
## map ids from BUILDIN ( LOCAL SYSTEM )
##
idmap config BUILDIN : backend = ad
idmap config BUILDIN : schema_mode = rfc2307
idmap config BUILDIN : range = 3000000-3999999
Sometimes, and if you see from within windows security rights like :
NTDOMAIN\administrators
Which should be
BUILDIN\administrators
Anyone any suggestion about setting an extra BUILDIN range for the Local
Computer/System.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
> Verzonden: woensdag 22 juni 2016 13:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Rights issue on GPO
>
>
>
> On 06/22/2016 01:44 PM, mj wrote:
> >
> > And then perhaps we also need to set the idmap ranges on the DCs? I
> > thought they were only for the domain member servers...
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> :-)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
On 6/22/2016 8:19 AM, L.P.H. van Belle wrote:> And dont forget : > https://wiki.samba.org/index.php/Idmap_config_ad > > I also noticed and incorrect mapping, which "looks" like rights issues like in the thead here. ( it is imo not a right issue.. ) read on.. > > NTDOMAIN\enterprise read-only domain controllers:x:3000202: > NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator > NTDOMAIN\domain users:x:10000: > NTDOMAIN\domain guests:x:10002: > NTDOMAIN\domain computers:x:10006: > NTDOMAIN\domain controllers:x:3000018: > NTDOMAIN\read-only domain controllers:x:3000203: > > Is conflicting with > BUILTIN\administrators:x:3000000: > BUILTIN\users:x:3000009: > BUILTIN\guests:x:3000015: > BUILTIN\account operators:x:3000185: > BUILTIN\server operators:x:3000001: > > Which results in some incorrect mappings. > > But if you add : acl_xattr:ignore system acls = yes to the Sysvol share. > !! AND your using the DC's only as DC's. !! > > Then this incorrect mapping can be ignored, at least im ignoring it, > since very thing is tested and works fine. > > But im thinking of settings a separated range for the BUILDIN > > A setup something like : > > idmap_ldb:use rfc2307 = yes > > ## map id's outside to domain to tdb files. > ## use for local (linux only ) users > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > ## the NTDOMAIN range id mappings > idmap config NTDOMAIN : backend = ad > idmap config NTDOMAIN : schema_mode = rfc2307 > idmap config NTDOMAIN : range = 10000-2999999 > > ## map ids from BUILDIN ( LOCAL SYSTEM ) > ## > idmap config BUILDIN : backend = ad > idmap config BUILDIN : schema_mode = rfc2307 > idmap config BUILDIN : range = 3000000-3999999 > > Sometimes, and if you see from within windows security rights like : > NTDOMAIN\administrators > Which should be > BUILDIN\administrators > > Anyone any suggestion about setting an extra BUILDIN range for the Local Computer/System. > > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj >> Verzonden: woensdag 22 juni 2016 13:59 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Rights issue on GPO >> >> >> >> On 06/22/2016 01:44 PM, mj wrote: >>> And then perhaps we also need to set the idmap ranges on the DCs? I >>> thought they were only for the domain member servers... >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >> >> :-) >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >Why is is when I do a getfacl I do not see the mapping of BUILTIN like others? getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- -- -James
On 22/06/16 13:44, lingpanda101 at gmail.com wrote:> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote: >> And dont forget : >> https://wiki.samba.org/index.php/Idmap_config_ad >> >> I also noticed and incorrect mapping, which "looks" like rights >> issues like in the thead here. ( it is imo not a right issue.. ) read >> on.. >> >> NTDOMAIN\enterprise read-only domain controllers:x:3000202: >> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator >> NTDOMAIN\domain users:x:10000: >> NTDOMAIN\domain guests:x:10002: >> NTDOMAIN\domain computers:x:10006: >> NTDOMAIN\domain controllers:x:3000018: >> NTDOMAIN\read-only domain controllers:x:3000203: >> >> Is conflicting with >> BUILTIN\administrators:x:3000000: >> BUILTIN\users:x:3000009: >> BUILTIN\guests:x:3000015: >> BUILTIN\account operators:x:3000185: >> BUILTIN\server operators:x:3000001: >> >> Which results in some incorrect mappings. >> >> But if you add : acl_xattr:ignore system acls = yes to the >> Sysvol share. >> !! AND your using the DC's only as DC's. !! >> >> Then this incorrect mapping can be ignored, at least im ignoring it, >> since very thing is tested and works fine. >> >> But im thinking of settings a separated range for the BUILDIN >> >> A setup something like : >> >> idmap_ldb:use rfc2307 = yes >> >> ## map id's outside to domain to tdb files. >> ## use for local (linux only ) users >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> >> ## map ids from the domain and (*) the range may not overlap ! >> ## the NTDOMAIN range id mappings >> idmap config NTDOMAIN : backend = ad >> idmap config NTDOMAIN : schema_mode = rfc2307 >> idmap config NTDOMAIN : range = 10000-2999999 >> >> ## map ids from BUILDIN ( LOCAL SYSTEM ) >> ## >> idmap config BUILDIN : backend = ad >> idmap config BUILDIN : schema_mode = rfc2307 >> idmap config BUILDIN : range = 3000000-3999999 >> >> Sometimes, and if you see from within windows security rights like : >> NTDOMAIN\administrators >> Which should be >> BUILDIN\administrators >> >> Anyone any suggestion about setting an extra BUILDIN range for the >> Local Computer/System. >> >> >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj >>> Verzonden: woensdag 22 juni 2016 13:59 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Rights issue on GPO >>> >>> >>> >>> On 06/22/2016 01:44 PM, mj wrote: >>>> And then perhaps we also need to set the idmap ranges on the DCs? I >>>> thought they were only for the domain member servers... >>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >>> >>> :-) >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > Why is is when I do a getfacl I do not see the mapping of BUILTIN like > others? > > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol/ > # owner: root > # group: 3000000 > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- >What version of Samba is this ? Rowland