Hi I have some problems with setting permissions on my share. I think it has to do that I didn?t configure this If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the Domain Admins group in AD, you will break the mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb, this is to allow the group to own files in Sysvol on a Samba AD DC. It is suggested you create a new AD group (Unix Admins for instance), give this group a gidNumber attribute and add it to the Administrators group and then, on Unix, use the group wherever you would normally use Domain Admins. I am using a raspberry pi. And don?t know how to set this up. Philip p.s. can an admin block Emma the hooker?. She is sending spam. It?s anoying
https://ibb.co/SsBGnQw As you can see in that picture, Administrator has all rights to the dir, I am loged in as administrator. But I can't change rights. Philip "Philip Offermans via samba" <samba at lists.samba.org> schreef op 4 september 2020 18:31:> Hi I have some problems with setting permissions on my share. I think it has to do that I didn?t > configure this > > If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the > Domain Admins group in AD, you will break the mapping in idmap.ldb. Domain Admins is mapped as > ID_TYPE_BOTH in idmap.ldb, this is to allow the group to own files in Sysvol on a Samba AD DC. It > is suggested you create a new AD group (Unix Admins for instance), give this group a gidNumber > attribute and add it to the Administrators group and then, on Unix, use the group wherever you > would normally use Domain Admins. > > I am using a raspberry pi. And don?t know how to set this up. > > Philip > > p.s. can an admin block Emma the hooker?. She is sending spam. It?s anoying > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 04/09/2020 17:28, Philip Offermans via samba wrote:> Hi I have some problems with setting permissions on my share. I think it has to do that I didn?t configure this > > If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the Domain Admins group in AD, you will break the mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb, this is to allow the group to own files in Sysvol on a Samba AD DC. It is suggested you create a new AD group (Unix Admins for instance), give this group a gidNumber attribute and add it to the Administrators group and then, on Unix, use the group wherever you would normally use Domain Admins. > > I am using a raspberry pi. And don?t know how to set this up.Is this on the DC or the Unix domain member ? If the Unix domain member, I don't that is your problem, you have 'idmap config <win domain>:range = 3000000-4000000' in your smb.conf and the ID numbers on a DC (which is where I think you got 3000000 from) are neither uidNumber or gidNumber attributes, they are xidNumber attributes and are only used on a DC. So have you added any uidNumber or gidNumber attributes to AD ?> > Philip > > p.s. can an admin block Emma the hooker?. She is sending spam. It?s anoyingI am very sure that 'Emma' isn't a registered Samba mailing list user and I am certain that she is not sending emails through our email servers, so we have no way to block her ;-) Rowland
What I am aware of I didn?t mess with the bidmap config. But I don?t really understand what it is, and where I use it for. I am really new to samba. All I know is that I have something regarding this in my config. And that it has something to do with users and groups. Thanks a lot btw for all the help. Without it I would be stuck on things like this for weeks Philip> On 4 Sep 2020, at 18:57, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 04/09/2020 17:28, Philip Offermans via samba wrote: >> Hi I have some problems with setting permissions on my share. I think it has to do that I didn?t configure this >> >> If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the Domain Admins group in AD, you will break the mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb, this is to allow the group to own files in Sysvol on a Samba AD DC. It is suggested you create a new AD group (Unix Admins for instance), give this group a gidNumber attribute and add it to the Administrators group and then, on Unix, use the group wherever you would normally use Domain Admins. >> >> I am using a raspberry pi. And don?t know how to set this up. > > Is this on the DC or the Unix domain member ? > > If the Unix domain member, I don't that is your problem, you have 'idmap config <win domain>:range = 3000000-4000000' in your smb.conf and the ID numbers on a DC (which is where I think you got 3000000 from) are neither uidNumber or gidNumber attributes, they are xidNumber attributes and are only used on a DC. So have you added any uidNumber or gidNumber attributes to AD ? > >> >> Philip >> >> p.s. can an admin block Emma the hooker?. She is sending spam. It?s anoying > > I am very sure that 'Emma' isn't a registered Samba mailing list user and I am certain that she is not sending emails through our email servers, so we have no way to block her ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
ohw. Miss spelling. I did not mess with idmap config. Autocorrect:)> On 4 Sep 2020, at 18:57, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 04/09/2020 17:28, Philip Offermans via samba wrote: >> Hi I have some problems with setting permissions on my share. I think it has to do that I didn?t configure this >> >> If you use the winbind 'ad' backend on Unix domain members and you add a gidNumber attribute to the Domain Admins group in AD, you will break the mapping in idmap.ldb. Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb, this is to allow the group to own files in Sysvol on a Samba AD DC. It is suggested you create a new AD group (Unix Admins for instance), give this group a gidNumber attribute and add it to the Administrators group and then, on Unix, use the group wherever you would normally use Domain Admins. >> >> I am using a raspberry pi. And don?t know how to set this up. > > Is this on the DC or the Unix domain member ? > > If the Unix domain member, I don't that is your problem, you have 'idmap config <win domain>:range = 3000000-4000000' in your smb.conf and the ID numbers on a DC (which is where I think you got 3000000 from) are neither uidNumber or gidNumber attributes, they are xidNumber attributes and are only used on a DC. So have you added any uidNumber or gidNumber attributes to AD ? > >> >> Philip >> >> p.s. can an admin block Emma the hooker?. She is sending spam. It?s anoying > > I am very sure that 'Emma' isn't a registered Samba mailing list user and I am certain that she is not sending emails through our email servers, so we have no way to block her ;-) > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba