L.P.H. van Belle
2015-Apr-30 09:35 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Hello Bj?rn, I can totaly agree with that, having multiple users with the same id isnt what we want, but samba needs at some point root rights, for creating folders/files. Now we have a "chicken and the egg problem" which one comes first? At install of samba files and folders are created, by root. when installed, started samba and now we can assign a uid/gid to Administrator. But at this point Administrator cannot change files/folders owned by root.. the installation script ended, and we dont know the correct uid/gids. So for all the default users and groups in the AD i really suggest we do assign dedicated uid/gids. wbinfo -g domain admins domain users domain guests domain computers enterprise admins group policy creator owners wbinfo -u administrator guest I remove some the not needed users/groups, as far is i know. imo, above should al have a dedicate uid/gid. so when all of the above do have dedicated uid/gid, we can assign the needed folders and files at install which need one of the above user/groups. and this wil help also in the development of samba in replicated sysvol. And big thanks for having a look! Greetings, Louis>-----Oorspronkelijk bericht----- >Van: Bjoern Jacke [mailto:bj at sernet.de] >Verzonden: donderdag 30 april 2015 10:59 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: [Bug 11241] different ids even when >idmap.ldb copied. not abug.. > >Hi Louis, > >I think this is not so much related to bug 11241 but more to > >https://bugzilla.samba.org/show_bug.cgi?id=9837 (Administrator on AD DC >shouldn't have uid 0) > >right? > >Best regards >Bj?rn > >
Bjoern Jacke
2015-Apr-30 10:25 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
On 2015-04-30 at 11:35 +0200 L.P.H. van Belle sent off:> I can totaly agree with that, having multiple users with the same id isnt what we want, > but samba needs at some point root rights, for creating folders/files. > Now we have a "chicken and the egg problem" which one comes first?I don't see much reasons why DOMAIN\administrator should have need root rights by uid 0 on a member server. If you really need any kind of extra privileges on a member server then there is net sam rights for that. The "admin users" parameter is another hackish option. There is no chicken egg problem. Best reagrds Bj?rn -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen ? +49-551-370000-0, ? +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
L.P.H. van Belle
2015-Apr-30 10:46 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
not ? .. just to be sure.. in not into the code of samba.. created at install drwxrwx---+ 3 root BUILTIN\administrators 4096 Apr 28 13:32 sysvol ( root? ) usershare path = /var/lib/samba/usershares since this : ls -al /var/lib/ | grep samba drwxr-xr-x 10 root root 4096 Apr 30 09:27 samba owned by root:root or is this handled by samba internaly. folder usershares is not auto created. maybe ( but that i dont know ) smb passwd file = /var/lib/samba/private/smbpasswd and yes.. that i know this is why i have in my scripts. things like. net rpc rights grant "${SAMBA_NT_DOMAIN}\Domain Admins" SeDiskOperatorPrivilege -UAdministrator thank for making this all more clear. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Bjoern Jacke [mailto:bj at sernet.de] >Verzonden: donderdag 30 april 2015 12:26 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: [Bug 11241] different ids even when >idmap.ldb copied. not abug.. > >On 2015-04-30 at 11:35 +0200 L.P.H. van Belle sent off: >> I can totaly agree with that, having multiple users with the >same id isnt what we want, >> but samba needs at some point root rights, for creating >folders/files. >> Now we have a "chicken and the egg problem" which one comes first? > >I don't see much reasons why DOMAIN\administrator should have >need root rights >by uid 0 on a member server. If you really need any kind of >extra privileges on >a member server then there is net sam rights for that. The >"admin users" >parameter is another hackish option. There is no chicken egg problem. > >Best reagrds >Bj?rn >-- >SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen > ??? +49-551-370000-0, ??? +49-551-370000-9 >AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen > >
Andrey Repin
2015-Apr-30 23:41 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Greetings, Bjoern Jacke!> On 2015-04-30 at 11:35 +0200 L.P.H. van Belle sent off: >> I can totaly agree with that, having multiple users with the same id isnt what we want, >> but samba needs at some point root rights, for creating folders/files. >> Now we have a "chicken and the egg problem" which one comes first?> I don't see much reasons why DOMAIN\administrator should have need root rights > by uid 0 on a member server.This is not about administrator or a member server. This is about conflicts between idmap and sam. If you provision domain anew, it may not be apparent, but if you do an upgrade, you get conflicts from the start, because provision assign some UIDs in 30'000 range into idmap.ldb, and then import old users with the same 30'000 range UID's into SAM. Why separate idmap even exists in first place? To ask for troubles? What prevents from always provisioning with RFC 2307?> If you really need any kind of extra privileges on > a member server then there is net sam rights for that. The "admin users" > parameter is another hackish option. There is no chicken egg problem.Or, you know, just add domain admins as sudo group. -- With best regards, Andrey Repin Friday, May 1, 2015 02:26:27 Sorry for my terrible english...