Hello, im trying to setup a share using windows acls. I followed the step ins https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs but hanging at "Adding a Share" # mkdir -p /srv/samba/Demo/ # chown root:"Domain Admins" /srv/samba/Demo/ *--> chown: ungültige Gruppe: »root:Domain Admins“* # net rpc rights list privileges SeDiskOperatorPrivilege -U "SAMDOM\administrator" SeDiskOperatorPrivilege: ROOTRUDI\Domain Admins BUILTIN\Administrators Do i need enable the UNIX Attribute for this group? I cant find any advice. Best regards Micha
On Fri, 26 Jan 2018 10:10:24 +0100 Micha Ballmann via samba <samba at lists.samba.org> wrote:> Hello, > > im trying to setup a share using windows acls. I followed the step > ins > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > but hanging at "Adding a Share" > > # mkdir -p /srv/samba/Demo/ > # chown root:"Domain Admins" /srv/samba/Demo/ > *--> chown: ungültige Gruppe: »root:Domain Admins“* > > # net rpc rights list privileges SeDiskOperatorPrivilege -U > "SAMDOM\administrator" SeDiskOperatorPrivilege: > ROOTRUDI\Domain Admins > BUILTIN\Administrators > > Do i need enable the UNIX Attribute for this group? I cant find any > advice. > > Best regards > Micha >There are two schools of thought here, yes AND no :-) Yes, Domain Admins needs to be a Unix group. No, because if Domain Admins is a Unix group, it cannot own GPOs in sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC, Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user. You either need to use the 'rid' backend on Unix domain members and do not give Domain Admins a gidNumber attribute, or create another group (I use 'Unix Admins'), give this group a gidNumber attribute and make the new group a member of the Domain Admins group, use this group instead of Domain Admins. Rowland
I dont agree..> Yes, Domain Admins needs to be a Unix group.I agree on this one.> No, because if Domain Admins is a Unix group, it cannot own GPOs in > sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC, > Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user.Not totaly.. Imo. Just set ignore systemacls on sysvol and you dont have any trouble with setting a gid on "domain admins" or domain guest, domain users, domain computers. This is why i have Sysvol, users, profiles and deploy shares, all set with ignore systemacl. All just due to the better matching for windows, and think mostly in gpo, deployments, things like that. It solves the problem of ID_TYPE_BOTH., which also solve the for "system". But thats just my opinion, i suggest, you try it, and is this a good "work around" for now, i think so. When ID_TYPE_BOTH matches by default better, that we could remove the ignore settting, but for now i do advice it to use it on some places, depending on the need. Only one BEWARE !! If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont run samba-tool sysvolreset ! Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: vrijdag 26 januari 2018 10:35 > Aan: samba at lists.samba.org > CC: Micha Ballmann > Onderwerp: Re: [Samba] Adding Share Windows ACL > > On Fri, 26 Jan 2018 10:10:24 +0100 > Micha Ballmann via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > im trying to setup a share using windows acls. I followed the step > > ins > > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > > but hanging at "Adding a Share" > > > > # mkdir -p /srv/samba/Demo/ > > # chown root:"Domain Admins" /srv/samba/Demo/ > > *--> chown: ungültige Gruppe: »root:Domain Admins?* > > > > # net rpc rights list privileges SeDiskOperatorPrivilege -U > > "SAMDOM\administrator" SeDiskOperatorPrivilege: > > ROOTRUDI\Domain Admins > > BUILTIN\Administrators > > > > Do i need enable the UNIX Attribute for this group? I cant find any > > advice. > > > > Best regards > > Micha > > > > There are two schools of thought here, yes AND no :-) > > Yes, Domain Admins needs to be a Unix group. > No, because if Domain Admins is a Unix group, it cannot own GPOs in > sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC, > Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a user. > > You either need to use the 'rid' backend on Unix domain members and do > not give Domain Admins a gidNumber attribute, or create another group > (I use 'Unix Admins'), give this group a gidNumber attribute and make > the new group a member of the Domain Admins group, use this group > instead of Domain Admins. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
On Fri, 26 Jan 2018 10:50:48 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> I dont agree..> > Yes, Domain Admins needs to be a Unix group. > I agree on this one. > > > No, because if Domain Admins is a Unix group, it cannot own GPOs in > > sysvol and Domain Admins needs to own GPOs as a user. On a Samba DC, > > Domain Admins is mapped to 'ID_TYPE_BOTH' and can own GPOs as a > > user. > Not totaly.. Imo.This is a sddl of a GPO in sysvol: O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519) The important part is at the start: O:DAG:DAD: O = owner G = group DA = Domain Admins The only way this can occur on a Unix DC is if Domain Admins doesn't have a gidNumber attribute.> Only one BEWARE !! > If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND > SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont > run samba-tool sysvolreset ! >Yes, do not run sysvolreset, but not because of this problem, it is because the underlying 'C' code doesn't set the ACLs correctly, see: https://bugzilla.samba.org/show_bug.cgi?id=12924 Rowland
Yes, your right and not.. .. Sorry..> > This is a sddl of a GPO in sysvol: > > O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0 > x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1- > 5-21-2695348288-4157658249-429813502-519) > > The important part is at the start: > > O:DAG:DAD: > > O = owner > G = group > DA = Domain Admins > > The only way this can occur on a Unix DC is if Domain Admins doesn't > have a gidNumber attribute.Yes yes, i know. About 1 year ago we both look this all up.. The sddl is fine, and works better if you set ignore systemacls. Because then you can have O:DAG:DAD: its only not shown on the system.. This imo also the interesting part and still i dont agree,.. Because I have do gid's on "domain users/guest/admins" on my AD backend DC's and members. 0 problems here. getent group "domain users" domain users:x:10000:.... Here all my users with uid. getent group "domain admins" domain admins:x:10001:admin,administrator getent group "domain guests" domain guests:x:10002:guest domain computers:x:10006: Yes. Here no computer in the group, but gid was added, this works fine. Test it Rowland and you will see it works, maybe i found some great loopholes here.. But i really like the ignore systemacl because if fixes a lot of SID/UID/GID related problems. I also advice to use it the least as possible, but imo, sysvol netlogin profiles users and a deploy share really bennefit from the parameter. This work really good for me, as of samba 4.4+ now at 4.7.4. Greetz, Louis> > > Only one BEWARE !! > > If you change to ignore systemacls, you MUST RE-APPPLY ALL SHARE AND > > SECURITY SETTINGS AGAIN! And for sysvol, set it and forget it, dont > > run samba-tool sysvolreset ! > > > > Yes, do not run sysvolreset, but not because of this problem, it is > because the underlying 'C' code doesn't set the ACLs correctly, see: > > https://bugzilla.samba.org/show_bug.cgi?id=12924 > > Rowland > >
On Fri, 26 Jan 2018 13:01:55 +0100 Micha Ballmann <ballmann at uni-landau.de> wrote:> Hello, > > i followed your adivces. But when im login in ADUC with the > Administrator and change to the security tab, there is a message, i > have no permissions to the share. Therefore i can't set any ACL. > > Is it possible or correct to create an additional user and also gave > them some admininstration (and an unix attribute) rights. Login with > this account to ADUC and set the ACLs? > > For example: > > On Linux: > > # chown "xministrator:Unix Admins" SHAREFOLDER > > Login with xministrator and set ACL. > > Thy for help > > MichaIs this on a DC or a Unix domain member ? If it is a Unix domain member, do you have a line similar to this in smb.conf: username map = /etc/samba/user.map and does '/etc/samba/user.map' contain something like this: !root = SAMDOM\Administrator SAMDOM\administrator Where 'SAMDOM' is replaced by your uppercase WORKGROUP name. Rowland
My File Server is a Unix Domain Member. And yes i ve done all this settings. First i got this Error: Enter SAMDOM\administrator's password: Could not connect to server 127.0.0.1 The username or password was not correct. Connection failed: NT_STATUS_LOGON_FAILURE But the troubleshooting guide (https://wiki.samba.org/index.php/Samba_Member_Server_Troubleshooting) helped me to fix this problem. But im notable to set ACL with the administrator account. Am 26.01.2018 um 13:14 schrieb Rowland Penny via samba:> Is this on a DC or a Unix domain member ? > > If it is a Unix domain member, do you have a line similar to this in > smb.conf: > > username map = /etc/samba/user.map > > and does '/etc/samba/user.map' contain something like this: > > !root = SAMDOM\Administrator SAMDOM\administrator > > Where 'SAMDOM' is replaced by your uppercase WORKGROUP name.