Luis, If there is consensus?on this, perhaps you could propose an edit to the Wiki explaining it there.? On Monday, October 21, 2024 at 10:51:18 AM CDT, Luis Peromarta via samba <samba at lists.samba.org> wrote: Another approach is to remove ?idmap_ldb rfc2307 = yes' from your DCs. You most likely don't need it, and it tends to complicate things unnecessarily. For more information, check out this article: http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307 Feedback welcome. On Oct 21, 2024 at 17:17 +0200, Rowland Penny via samba <samba at lists.samba.org>, wrote:> On Mon, 21 Oct 2024 17:01:36 +0200 > Francesco Malvezzi via samba <samba at lists.samba.org> wrote: > > > hi all, > > > > I am maybe in the situation described here: > > https://wiki.samba.org/index.php/Sysvolreset). > > > > The admins domains groups has indeed a gidNumber and alas I run a > > > > ./bin/samba-tool ntacl sysvolcheck > > > > What's more in my situation is that when I access the sysvol from the > > windows side (runas /user:administrator computer management -> > > connect to server -> system -> shares -> sysvol), as soon as I clic > > on the 'security' tab, the commandlet cashes. > > > > The sysvol folder still serves correctly the group policies, the > > administrator can edit them, but all other user who used to manage > > them are now forbidden. > > > > I already run the samba-check-set-sysvol.sh script, from the linux > > side the acl look fine (they are incomplete, but I know that I need > > to grand the privileges from the windows side, whom I can't reach). > > > > I didn't find any piece of useful information about the 'computer > > management' crash in event viewer or in samba logs. > > > > What am I missing? > > > > It is not so much what you are missing, it is probably what you have > got ;-) > > The situation hasn't changed, Domain Admins still needs to own things > in sysvol and cannot if it has a gidNumber attribute, so remove it and > run 'net cache flush' everywhere on Unix land. > > If you must have a Domain Admins type group on Unix, then create one in > AD, give that a gidNumber attribute and join it to Administrators. > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions:? https://lists.samba.org/mailman/options/samba
There was a long conversation about this some months ago with @Rowland, I take it there is. If all happy with that, I can edit the wiki no problem, in fairness this particular article: On Oct 21, 2024 at 18:11 +0200, Billy Bob <billysbobs at yahoo.com>, wrote:> Luis, > > If there is consensus?on this, perhaps you could propose an edit to the Wiki explaining it there. > > > > > > > On Monday, October 21, 2024 at 10:51:18 AM CDT, Luis Peromarta via samba <samba at lists.samba.org> wrote: > > > > > > Another approach is to remove ?idmap_ldb rfc2307 = yes' from your DCs. > > You most likely don't need it, and it tends to complicate things unnecessarily. For more information, check out this article: > > http://samba.bigbird.es/doku.php?id=samba:no-need-for-use-rfc2307 > > Feedback welcome. > On Oct 21, 2024 at 17:17 +0200, Rowland Penny via samba <samba at lists.samba.org>, wrote: > > On Mon, 21 Oct 2024 17:01:36 +0200 > > Francesco Malvezzi via samba <samba at lists.samba.org> wrote: > > > > > hi all, > > > > > > I am maybe in the situation described here: > > > https://wiki.samba.org/index.php/Sysvolreset). > > > > > > The admins domains groups has indeed a gidNumber and alas I run a > > > > > > ./bin/samba-tool ntacl sysvolcheck > > > > > > What's more in my situation is that when I access the sysvol from the > > > windows side (runas /user:administrator computer management -> > > > connect to server -> system -> shares -> sysvol), as soon as I clic > > > on the 'security' tab, the commandlet cashes. > > > > > > The sysvol folder still serves correctly the group policies, the > > > administrator can edit them, but all other user who used to manage > > > them are now forbidden. > > > > > > I already run the samba-check-set-sysvol.sh script, from the linux > > > side the acl look fine (they are incomplete, but I know that I need > > > to grand the privileges from the windows side, whom I can't reach). > > > > > > I didn't find any piece of useful information about the 'computer > > > management' crash in event viewer or in samba logs. > > > > > > What am I missing? > > > > > > > It is not so much what you are missing, it is probably what you have > > got ;-) > > > > The situation hasn't changed, Domain Admins still needs to own things > > in sysvol and cannot if it has a gidNumber attribute, so remove it and > > run 'net cache flush' everywhere on Unix land. > > > > If you must have a Domain Admins type group on Unix, then create one in > > AD, give that a gidNumber attribute and join it to Administrators. > > > > Rowland > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions:? https://lists.samba.org/mailman/options/samba
There was a long conversation about this some months ago with @Rowland, I take it there is. If all happy with that, I can edit the wiki no problem, in fairness this particular article: https://wiki.samba.org/index.php/Sysvolreset Seems quite complex (and outdated) to me. On Oct 21, 2024 at 18:11 +0200, Billy Bob <billysbobs at yahoo.com>, wrote:> > Luis, > > If there is consensus?on this, perhaps you could propose an edit to the Wiki explaining it there.