Thank you for your answers Rowland. I could go ahead. Am 17.09.19 um 18:52 schrieb Rowland penny:> On 17/09/2019 09:30, Simeon Peter wrote: >> Am 17.09.19 um 17:08 schrieb Rowland penny via samba: >>> Do not give the standard Windows users and groups a uid/gidNumber, >>> most are never used on Unix, the main exception would be Domain Users. >> OK, now I did it already. It it ok to leave it like this? > > I would remove any uidNumber & gidNumber attributes from the following > users (if set): > > administrator > guest > krbtgtAdministrator has a uidNumber since long time and owns some files. Are there disadvantages if I leave his uidNumber?> > If you are using Bind9, then you will also have users in this format: > dns-dcname, if so do the same for these users. > > you should also remove gidNumber attributes from these groups: > > cert publishers > ras and ias servers > allowed rodc password replication group > denied rodc password replication group > dnsadmins > enterprise read-only domain controllers > domain guests > domain computers > domain controllers > schema admins > enterprise admins > group policy creator owners > read-only domain controllers > dnsupdateproxyWhat's about the groups Administrators and Users in the Builtin folder?> > This just leaves Domain Admins, if you give this group a gidNumber it > just becomes a group (yes, I know it is just a group) but Windows has > this funny thing where groups can own files and Unix doesn't. If > Domain Admins is a Unix group, it cannot own things in Sysvol and it > needs to. My way around this is to create a group (I use one called > 'unix admins'), give this group a gidNumber and make it a member of > Domain Admins or Administrators, then use this group instead of Domain > Admins, finally ensure that Domain Admins doesn't have a gidNumber.If the group Domain Admins don't have a gidNumber it gets a xidNumber instead? And like that can own folders and files? I noticed that the Group Enterprises Admins is also a member of Administrators. So I could use this Group for my Administrators and give a gidNumber to it?> >>> >>> It sounds like your problems are being caused by using the DCs as >>> fileservers, something that is only really viable if you only have >>> one DC. If you have multiple DCs, then set up a Unix domain member >>> and use this as the fileserver. >> I prefer to have as less servers as possible to set up and maintain . >> If I can handle it with the User & Group IDs, are there other issues >> when using a DC as a file server? > Yes, lots, do not even bother trying this if you have more than one > DC, only use a DC as a fileserver when you really have no other option. >>> >>> You only need to sync idmap.ldb if you are using GPOs. >> >> I use GPOs. How often should I sync the idmap.ldp? > Every time you add a GPO and sync it to any other DCs.Is it recommended to stop source / destination DC while the export/ import? At the moment I have cronjob rsyncing the sysvol directory. In that case it would be better to sync it manually in the future.>> >>> >>> If you add uidNumber and gidNumber attributes to AD these should be >>> used instead of the xidNumber attributes in idmap.ldb. >> That is what I did and solved my problem. Do you recommend to delete >> old entries in the idmap.ldp? > No, if a user has a uidNumber or a group has a gidNumber, these will > be used instead of the xidNumbers from idmap.ldb > > Rowland >Simeon
On 18/09/2019 03:41, Simeon Peter via samba wrote:> Thank you for your answers Rowland. > > I could go ahead. > >> I would remove any uidNumber & gidNumber attributes from the >> following users (if set): >> >> administrator >> guest >> krbtgt > Administrator has a uidNumber since long time and owns some files. Are > there disadvantages if I leave his uidNumber?A very big one, 'Administrator' is now a standard user as far as Unix is concerned and can do no more than any other normal user. Administrator should be mapped to the Unix user root (by default it is on a DC).>> >> If you are using Bind9, then you will also have users in this format: >> dns-dcname, if so do the same for these users. >> >> you should also remove gidNumber attributes from these groups: >> >> cert publishers >> ras and ias servers >> allowed rodc password replication group >> denied rodc password replication group >> dnsadmins >> enterprise read-only domain controllers >> domain guests >> domain computers >> domain controllers >> schema admins >> enterprise admins >> group policy creator owners >> read-only domain controllers >> dnsupdateproxy > What's about the groups Administrators and Users in the Builtin folder?Sorry, missed off 'Administrators', not sure which users you are referring to here.>> >> This just leaves Domain Admins, if you give this group a gidNumber it >> just becomes a group (yes, I know it is just a group) but Windows has >> this funny thing where groups can own files and Unix doesn't. If >> Domain Admins is a Unix group, it cannot own things in Sysvol and it >> needs to. My way around this is to create a group (I use one called >> 'unix admins'), give this group a gidNumber and make it a member of >> Domain Admins or Administrators, then use this group instead of >> Domain Admins, finally ensure that Domain Admins doesn't have a >> gidNumber. > > If the group Domain Admins don't have a gidNumber it gets a xidNumber > instead? And like that can own folders and files?Yes and it must be able to own GPO files and folders in sysvol.> > I noticed that the Group Enterprises Admins is also a member of > Administrators. So I could use this Group for my Administrators and > give a gidNumber to it?No, add that to my list of groups that should never be given a gidNumber. It basically boils down to, no groups & users created by a bare Samba provision should be given a uidNumber or gidNumber, except for Domain Users.> > Is it recommended to stop source / destination DC while the export/ > import? > > At the moment I have cronjob rsyncing the sysvol directory. In that > case it would be better to sync it manually in the future.see here: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings Rowland
Am 18.09.19 um 16:17 schrieb Rowland penny:> On 18/09/2019 03:41, Simeon Peter via samba wrote: >> I would remove any uidNumber & gidNumber attributes from the >> following users (if set): >>> administrator >>> guest >>> krbtgt >> Administrator has a uidNumber since long time and owns some files. >> Are there disadvantages if I leave his uidNumber? > A very big one, 'Administrator' is now a standard user as far as Unix > is concerned and can do no more than any other normal user. > Administrator should be mapped to the Unix user root (by default it is > on a DC).At the moment there is a user "root" in the AD with the UID 0. Administrator has an other UID then 0 and I can not give the UID 0 to two users. So should I delete the user "root" in the Active Directory and give the UID 0 to the Administrator user? Which default group should it belong to?>>> >>> If you are using Bind9, then you will also have users in this >>> format: dns-dcname, if so do the same for these users. >>> >>> you should also remove gidNumber attributes from these groups: >>> >>> cert publishers >>> ras and ias servers >>> allowed rodc password replication group >>> denied rodc password replication group >>> dnsadmins >>> enterprise read-only domain controllers >>> domain guests >>> domain computers >>> domain controllers >>> schema admins >>> enterprise admins >>> group policy creator owners >>> read-only domain controllers >>> dnsupdateproxy >> What's about the groups Administrators and Users in the Builtin folder? > Sorry, missed off 'Administrators', not sure which users you are > referring to here.There is the Group "BUILTIN\Administrators", which has a custom GIDnumber at the moment. Should it have an Unix GID also? Is there a Unix Group "root" with GID 0?>> Is it recommended to stop source / destination DC while the export/ >> import? >> >> At the moment I have cronjob rsyncing the sysvol directory. In that >> case it would be better to sync it manually in the future. > see here: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_MappingsThat worked well, thank you :-) Simeon