And dont forget :
https://wiki.samba.org/index.php/Idmap_config_ad
I also noticed and incorrect mapping, which "looks" like rights issues
like in the thead here. ( it is imo not a right issue.. ) read on..
NTDOMAIN\enterprise read-only domain controllers:x:3000202:
NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator
NTDOMAIN\domain users:x:10000:
NTDOMAIN\domain guests:x:10002:
NTDOMAIN\domain computers:x:10006:
NTDOMAIN\domain controllers:x:3000018:
NTDOMAIN\read-only domain controllers:x:3000203:
Is conflicting with
BUILTIN\administrators:x:3000000:
BUILTIN\users:x:3000009:
BUILTIN\guests:x:3000015:
BUILTIN\account operators:x:3000185:
BUILTIN\server operators:x:3000001:
Which results in some incorrect mappings.
But if you add : acl_xattr:ignore system acls = yes to the Sysvol share.
!! AND your using the DC's only as DC's. !!
Then this incorrect mapping can be ignored, at least im ignoring it,
since very thing is tested and works fine.
But im thinking of settings a separated range for the BUILDIN
A setup something like :
idmap_ldb:use rfc2307 = yes
## map id's outside to domain to tdb files.
## use for local (linux only ) users
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
## the NTDOMAIN range id mappings
idmap config NTDOMAIN : backend = ad
idmap config NTDOMAIN : schema_mode = rfc2307
idmap config NTDOMAIN : range = 10000-2999999
## map ids from BUILDIN ( LOCAL SYSTEM )
##
idmap config BUILDIN : backend = ad
idmap config BUILDIN : schema_mode = rfc2307
idmap config BUILDIN : range = 3000000-3999999
Sometimes, and if you see from within windows security rights like :
NTDOMAIN\administrators
Which should be
BUILDIN\administrators
Anyone any suggestion about setting an extra BUILDIN range for the Local
Computer/System.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj
> Verzonden: woensdag 22 juni 2016 13:59
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Rights issue on GPO
>
>
>
> On 06/22/2016 01:44 PM, mj wrote:
> >
> > And then perhaps we also need to set the idmap ranges on the DCs? I
> > thought they were only for the domain member servers...
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> :-)
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba