samba - Jul 2016 - Why is Samba4 not recommended as a file server?

On 28/07/16 10:32, mathias dufresne wrote:
> Can you explain why it would be an issue giving GID to "Domain
Admins"
> group?
>
This is because Domain Admins has to own group policies in sysvol, not 
as a group but as a user. If you give Domain Admins a gidNumber, it 
becomes purely a group, so it cannot own the group policies as a user.

Rowland

2016-07-28 12:27 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 28/07/16 10:32, mathias dufresne wrote:
>
>> Can you explain why it would be an issue giving GID to "Domain
Admins"
>> group?
>>
>>
> This is because Domain Admins has to own group policies in sysvol, not as
> a group but as a user. If you give Domain Admins a gidNumber, it becomes
> purely a group, so it cannot own the group policies as a user.
>
> This need sounds very strange to me... Why a group would need to be
considered as a user?

I noticed earlier that groups are considered as users when it comes to
sysvol's ACLs. I thought it was because Samba was treating with XID rather
than UID and GID, and that use of XID is not precise enough to make
difference between users and groups, so to be sure Samba was putting ACL on
both sides (user ACL and group ACL). All that tought because Samba relies
on idmap and in idmap.ldb there is no UID/GID but only XID.

I don't think Windows clients are expecting to find groups in users'
ACLs
so I'm really wondering why that would be an issue...

On 28/07/16 11:53, mathias dufresne wrote:
>
>
> 2016-07-28 12:27 GMT+02:00 Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>>:
>
>     On 28/07/16 10:32, mathias dufresne wrote:
>
>         Can you explain why it would be an issue giving GID to "Domain
>         Admins" group?
>
>
>     This is because Domain Admins has to own group policies in sysvol,
>     not as a group but as a user. If you give Domain Admins a
>     gidNumber, it becomes purely a group, so it cannot own the group
>     policies as a user.
>
> This need sounds very strange to me... Why a group would need to be 
> considered as a user?
>
> I noticed earlier that groups are considered as users when it comes to 
> sysvol's ACLs. I thought it was because Samba was treating with XID 
> rather than UID and GID, and that use of XID is not precise enough to 
> make difference between users and groups, so to be sure Samba was 
> putting ACL on both sides (user ACL and group ACL). All that tought 
> because Samba relies on idmap and in idmap.ldb there is no UID/GID but 
> only XID.
>
> I don't think Windows clients are expecting to find groups in
users'
> ACLs so I'm really wondering why that would be an issue...
>
Yes it does sound strange, but, on windows, groups can and do own 
directories & files. An xidNumber is just that, a number, it is the 
context in how that number is used that is important. If you give Domain 
Admins a gidNumber attribute, then Domain Admins becomes just a group, 
but if you examine Domain Admins object in idmap.ldb, you will find that 
it is type 'ID_TYPE_BOTH'. This means that as far as Unix is concerned, 
Domain Admins is both a user and a group, so it can own dirs & files.

Rowland