On 22/06/16 13:44, lingpanda101 at gmail.com wrote:> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote: >> And dont forget : >> https://wiki.samba.org/index.php/Idmap_config_ad >> >> I also noticed and incorrect mapping, which "looks" like rights >> issues like in the thead here. ( it is imo not a right issue.. ) read >> on.. >> >> NTDOMAIN\enterprise read-only domain controllers:x:3000202: >> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator >> NTDOMAIN\domain users:x:10000: >> NTDOMAIN\domain guests:x:10002: >> NTDOMAIN\domain computers:x:10006: >> NTDOMAIN\domain controllers:x:3000018: >> NTDOMAIN\read-only domain controllers:x:3000203: >> >> Is conflicting with >> BUILTIN\administrators:x:3000000: >> BUILTIN\users:x:3000009: >> BUILTIN\guests:x:3000015: >> BUILTIN\account operators:x:3000185: >> BUILTIN\server operators:x:3000001: >> >> Which results in some incorrect mappings. >> >> But if you add : acl_xattr:ignore system acls = yes to the >> Sysvol share. >> !! AND your using the DC's only as DC's. !! >> >> Then this incorrect mapping can be ignored, at least im ignoring it, >> since very thing is tested and works fine. >> >> But im thinking of settings a separated range for the BUILDIN >> >> A setup something like : >> >> idmap_ldb:use rfc2307 = yes >> >> ## map id's outside to domain to tdb files. >> ## use for local (linux only ) users >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> >> ## map ids from the domain and (*) the range may not overlap ! >> ## the NTDOMAIN range id mappings >> idmap config NTDOMAIN : backend = ad >> idmap config NTDOMAIN : schema_mode = rfc2307 >> idmap config NTDOMAIN : range = 10000-2999999 >> >> ## map ids from BUILDIN ( LOCAL SYSTEM ) >> ## >> idmap config BUILDIN : backend = ad >> idmap config BUILDIN : schema_mode = rfc2307 >> idmap config BUILDIN : range = 3000000-3999999 >> >> Sometimes, and if you see from within windows security rights like : >> NTDOMAIN\administrators >> Which should be >> BUILDIN\administrators >> >> Anyone any suggestion about setting an extra BUILDIN range for the >> Local Computer/System. >> >> >> >> Greetz, >> >> Louis >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj >>> Verzonden: woensdag 22 juni 2016 13:59 >>> Aan: samba at lists.samba.org >>> Onderwerp: Re: [Samba] Rights issue on GPO >>> >>> >>> >>> On 06/22/2016 01:44 PM, mj wrote: >>>> And then perhaps we also need to set the idmap ranges on the DCs? I >>>> thought they were only for the domain member servers... >>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >>> >>> :-) >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >> >> > > Why is is when I do a getfacl I do not see the mapping of BUILTIN like > others? > > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol/ > # owner: root > # group: 3000000 > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- >What version of Samba is this ? Rowland
On 6/22/2016 8:51 AM, Rowland penny wrote:> On 22/06/16 13:44, lingpanda101 at gmail.com wrote: >> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote: >>> And dont forget : >>> https://wiki.samba.org/index.php/Idmap_config_ad >>> >>> I also noticed and incorrect mapping, which "looks" like rights >>> issues like in the thead here. ( it is imo not a right issue.. ) >>> read on.. >>> >>> NTDOMAIN\enterprise read-only domain controllers:x:3000202: >>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator >>> NTDOMAIN\domain users:x:10000: >>> NTDOMAIN\domain guests:x:10002: >>> NTDOMAIN\domain computers:x:10006: >>> NTDOMAIN\domain controllers:x:3000018: >>> NTDOMAIN\read-only domain controllers:x:3000203: >>> >>> Is conflicting with >>> BUILTIN\administrators:x:3000000: >>> BUILTIN\users:x:3000009: >>> BUILTIN\guests:x:3000015: >>> BUILTIN\account operators:x:3000185: >>> BUILTIN\server operators:x:3000001: >>> >>> Which results in some incorrect mappings. >>> >>> But if you add : acl_xattr:ignore system acls = yes to the >>> Sysvol share. >>> !! AND your using the DC's only as DC's. !! >>> >>> Then this incorrect mapping can be ignored, at least im ignoring it, >>> since very thing is tested and works fine. >>> >>> But im thinking of settings a separated range for the BUILDIN >>> >>> A setup something like : >>> >>> idmap_ldb:use rfc2307 = yes >>> >>> ## map id's outside to domain to tdb files. >>> ## use for local (linux only ) users >>> idmap config * : backend = tdb >>> idmap config * : range = 2000-9999 >>> >>> ## map ids from the domain and (*) the range may not overlap ! >>> ## the NTDOMAIN range id mappings >>> idmap config NTDOMAIN : backend = ad >>> idmap config NTDOMAIN : schema_mode = rfc2307 >>> idmap config NTDOMAIN : range = 10000-2999999 >>> >>> ## map ids from BUILDIN ( LOCAL SYSTEM ) >>> ## >>> idmap config BUILDIN : backend = ad >>> idmap config BUILDIN : schema_mode = rfc2307 >>> idmap config BUILDIN : range = 3000000-3999999 >>> >>> Sometimes, and if you see from within windows security rights like : >>> NTDOMAIN\administrators >>> Which should be >>> BUILDIN\administrators >>> >>> Anyone any suggestion about setting an extra BUILDIN range for the >>> Local Computer/System. >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj >>>> Verzonden: woensdag 22 juni 2016 13:59 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>> >>>> >>>> >>>> On 06/22/2016 01:44 PM, mj wrote: >>>>> And then perhaps we also need to set the idmap ranges on the DCs? I >>>>> thought they were only for the domain member servers... >>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >>>> >>>> :-) >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> Why is is when I do a getfacl I do not see the mapping of BUILTIN >> like others? >> >> getfacl: Removing leading '/' from absolute path names >> # file: usr/local/samba/var/locks/sysvol/ >> # owner: root >> # group: 3000000 >> user::rwx >> user:root:rwx >> user:3000000:rwx >> user:3000001:r-x >> user:3000002:rwx >> user:3000003:r-x >> group::rwx >> group:3000000:rwx >> group:3000001:r-x >> group:3000002:rwx >> group:3000003:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:3000000:rwx >> default:user:3000001:r-x >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:3000000:rwx >> default:group:3000001:r-x >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> > > What version of Samba is this ? > > Rowland > >samba -V Version 4.4.4 -- -James
And what i dont see,, what is your "current" smb.conf ? Greetz. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > lingpanda101 at gmail.com > Verzonden: woensdag 22 juni 2016 15:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Rights issue on GPO > > On 6/22/2016 8:51 AM, Rowland penny wrote: > > On 22/06/16 13:44, lingpanda101 at gmail.com wrote: > >> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote: > >>> And dont forget : > >>> https://wiki.samba.org/index.php/Idmap_config_ad > >>> > >>> I also noticed and incorrect mapping, which "looks" like rights > >>> issues like in the thead here. ( it is imo not a right issue.. ) > >>> read on.. > >>> > >>> NTDOMAIN\enterprise read-only domain controllers:x:3000202: > >>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator > >>> NTDOMAIN\domain users:x:10000: > >>> NTDOMAIN\domain guests:x:10002: > >>> NTDOMAIN\domain computers:x:10006: > >>> NTDOMAIN\domain controllers:x:3000018: > >>> NTDOMAIN\read-only domain controllers:x:3000203: > >>> > >>> Is conflicting with > >>> BUILTIN\administrators:x:3000000: > >>> BUILTIN\users:x:3000009: > >>> BUILTIN\guests:x:3000015: > >>> BUILTIN\account operators:x:3000185: > >>> BUILTIN\server operators:x:3000001: > >>> > >>> Which results in some incorrect mappings. > >>> > >>> But if you add : acl_xattr:ignore system acls = yes to the > >>> Sysvol share. > >>> !! AND your using the DC's only as DC's. !! > >>> > >>> Then this incorrect mapping can be ignored, at least im ignoring it, > >>> since very thing is tested and works fine. > >>> > >>> But im thinking of settings a separated range for the BUILDIN > >>> > >>> A setup something like : > >>> > >>> idmap_ldb:use rfc2307 = yes > >>> > >>> ## map id's outside to domain to tdb files. > >>> ## use for local (linux only ) users > >>> idmap config * : backend = tdb > >>> idmap config * : range = 2000-9999 > >>> > >>> ## map ids from the domain and (*) the range may not overlap > ! > >>> ## the NTDOMAIN range id mappings > >>> idmap config NTDOMAIN : backend = ad > >>> idmap config NTDOMAIN : schema_mode = rfc2307 > >>> idmap config NTDOMAIN : range = 10000-2999999 > >>> > >>> ## map ids from BUILDIN ( LOCAL SYSTEM ) > >>> ## > >>> idmap config BUILDIN : backend = ad > >>> idmap config BUILDIN : schema_mode = rfc2307 > >>> idmap config BUILDIN : range = 3000000-3999999 > >>> > >>> Sometimes, and if you see from within windows security rights like : > >>> NTDOMAIN\administrators > >>> Which should be > >>> BUILDIN\administrators > >>> > >>> Anyone any suggestion about setting an extra BUILDIN range for the > >>> Local Computer/System. > >>> > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj > >>>> Verzonden: woensdag 22 juni 2016 13:59 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] Rights issue on GPO > >>>> > >>>> > >>>> > >>>> On 06/22/2016 01:44 PM, mj wrote: > >>>>> And then perhaps we also need to set the idmap ranges on the DCs? I > >>>>> thought they were only for the domain member servers... > >>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD > >>>> > >>>> :-) > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >>> > >> > >> Why is is when I do a getfacl I do not see the mapping of BUILTIN > >> like others? > >> > >> getfacl: Removing leading '/' from absolute path names > >> # file: usr/local/samba/var/locks/sysvol/ > >> # owner: root > >> # group: 3000000 > >> user::rwx > >> user:root:rwx > >> user:3000000:rwx > >> user:3000001:r-x > >> user:3000002:rwx > >> user:3000003:r-x > >> group::rwx > >> group:3000000:rwx > >> group:3000001:r-x > >> group:3000002:rwx > >> group:3000003:r-x > >> mask::rwx > >> other::--- > >> default:user::rwx > >> default:user:root:rwx > >> default:user:3000000:rwx > >> default:user:3000001:r-x > >> default:user:3000002:rwx > >> default:user:3000003:r-x > >> default:group::--- > >> default:group:3000000:rwx > >> default:group:3000001:r-x > >> default:group:3000002:rwx > >> default:group:3000003:r-x > >> default:mask::rwx > >> default:other::--- > >> > > > > What version of Samba is this ? > > > > Rowland > > > > > > samba -V > Version 4.4.4 > > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 6/22/2016 9:27 AM, L.P.H. van Belle wrote:> And what i dont see,, what is your "current" smb.conf ? > > Greetz. > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> lingpanda101 at gmail.com >> Verzonden: woensdag 22 juni 2016 15:09 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Rights issue on GPO >> >> On 6/22/2016 8:51 AM, Rowland penny wrote: >>> On 22/06/16 13:44, lingpanda101 at gmail.com wrote: >>>> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote: >>>>> And dont forget : >>>>> https://wiki.samba.org/index.php/Idmap_config_ad >>>>> >>>>> I also noticed and incorrect mapping, which "looks" like rights >>>>> issues like in the thead here. ( it is imo not a right issue.. ) >>>>> read on.. >>>>> >>>>> NTDOMAIN\enterprise read-only domain controllers:x:3000202: >>>>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator >>>>> NTDOMAIN\domain users:x:10000: >>>>> NTDOMAIN\domain guests:x:10002: >>>>> NTDOMAIN\domain computers:x:10006: >>>>> NTDOMAIN\domain controllers:x:3000018: >>>>> NTDOMAIN\read-only domain controllers:x:3000203: >>>>> >>>>> Is conflicting with >>>>> BUILTIN\administrators:x:3000000: >>>>> BUILTIN\users:x:3000009: >>>>> BUILTIN\guests:x:3000015: >>>>> BUILTIN\account operators:x:3000185: >>>>> BUILTIN\server operators:x:3000001: >>>>> >>>>> Which results in some incorrect mappings. >>>>> >>>>> But if you add : acl_xattr:ignore system acls = yes to the >>>>> Sysvol share. >>>>> !! AND your using the DC's only as DC's. !! >>>>> >>>>> Then this incorrect mapping can be ignored, at least im ignoring it, >>>>> since very thing is tested and works fine. >>>>> >>>>> But im thinking of settings a separated range for the BUILDIN >>>>> >>>>> A setup something like : >>>>> >>>>> idmap_ldb:use rfc2307 = yes >>>>> >>>>> ## map id's outside to domain to tdb files. >>>>> ## use for local (linux only ) users >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-9999 >>>>> >>>>> ## map ids from the domain and (*) the range may not overlap >> ! >>>>> ## the NTDOMAIN range id mappings >>>>> idmap config NTDOMAIN : backend = ad >>>>> idmap config NTDOMAIN : schema_mode = rfc2307 >>>>> idmap config NTDOMAIN : range = 10000-2999999 >>>>> >>>>> ## map ids from BUILDIN ( LOCAL SYSTEM ) >>>>> ## >>>>> idmap config BUILDIN : backend = ad >>>>> idmap config BUILDIN : schema_mode = rfc2307 >>>>> idmap config BUILDIN : range = 3000000-3999999 >>>>> >>>>> Sometimes, and if you see from within windows security rights like : >>>>> NTDOMAIN\administrators >>>>> Which should be >>>>> BUILDIN\administrators >>>>> >>>>> Anyone any suggestion about setting an extra BUILDIN range for the >>>>> Local Computer/System. >>>>> >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj >>>>>> Verzonden: woensdag 22 juni 2016 13:59 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>>>> >>>>>> >>>>>> >>>>>> On 06/22/2016 01:44 PM, mj wrote: >>>>>>> And then perhaps we also need to set the idmap ranges on the DCs? I >>>>>>> thought they were only for the domain member servers... >>>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >>>>>> >>>>>> :-) >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN >>>> like others? >>>> >>>> getfacl: Removing leading '/' from absolute path names >>>> # file: usr/local/samba/var/locks/sysvol/ >>>> # owner: root >>>> # group: 3000000 >>>> user::rwx >>>> user:root:rwx >>>> user:3000000:rwx >>>> user:3000001:r-x >>>> user:3000002:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:3000000:rwx >>>> group:3000001:r-x >>>> group:3000002:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:3000000:rwx >>>> default:user:3000001:r-x >>>> default:user:3000002:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:3000000:rwx >>>> default:group:3000001:r-x >>>> default:group:3000002:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>> What version of Samba is this ? >>> >>> Rowland >>> >>> >> samba -V >> Version 4.4.4 >> >> >> -- >> -James >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >@Louis as you can see pretty basic. This is the same across all DC's in the forest. # Global parameters [global] workgroup = DOMAIN realm = DOMAIN.LOCAL netbios name = PFDC1 server role = active directory domain controller dns forwarder = 8.8.8.8 idmap_ldb:use rfc2307 = Yes log file = /usr/local/samba/var/log.samba logging = syslog at 2 file debug uid = Yes debug pid = Yes allow dns updates = nonsecure load printers = No printcap name = /dev/null disable spoolss = Yes ldap server require strong auth = no tls verify peer = ca_and_name [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No -- -James
>> https://wiki.samba.org/index.php/Idmap_config_adDont we need idmap config in the smb.conf also, or is above not used anymore, if so the we must change the wiki. Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > lingpanda101 at gmail.com > Verzonden: woensdag 22 juni 2016 15:37 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Rights issue on GPO > > On 6/22/2016 9:27 AM, L.P.H. van Belle wrote: > > And what i dont see,, what is your "current" smb.conf ? > > > > Greetz. > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> lingpanda101 at gmail.com > >> Verzonden: woensdag 22 juni 2016 15:09 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Rights issue on GPO > >> > >> On 6/22/2016 8:51 AM, Rowland penny wrote: > >>> On 22/06/16 13:44, lingpanda101 at gmail.com wrote: > >>>> On 6/22/2016 8:19 AM, L.P.H. van Belle wrote: > >>>>> And dont forget : > >>>>> https://wiki.samba.org/index.php/Idmap_config_ad > >>>>> > >>>>> I also noticed and incorrect mapping, which "looks" like rights > >>>>> issues like in the thead here. ( it is imo not a right issue.. ) > >>>>> read on.. > >>>>> > >>>>> NTDOMAIN\enterprise read-only domain controllers:x:3000202: > >>>>> NTDOMAIN\domain admins:x:10001:NTDOMAIN\administrator > >>>>> NTDOMAIN\domain users:x:10000: > >>>>> NTDOMAIN\domain guests:x:10002: > >>>>> NTDOMAIN\domain computers:x:10006: > >>>>> NTDOMAIN\domain controllers:x:3000018: > >>>>> NTDOMAIN\read-only domain controllers:x:3000203: > >>>>> > >>>>> Is conflicting with > >>>>> BUILTIN\administrators:x:3000000: > >>>>> BUILTIN\users:x:3000009: > >>>>> BUILTIN\guests:x:3000015: > >>>>> BUILTIN\account operators:x:3000185: > >>>>> BUILTIN\server operators:x:3000001: > >>>>> > >>>>> Which results in some incorrect mappings. > >>>>> > >>>>> But if you add : acl_xattr:ignore system acls = yes to the > >>>>> Sysvol share. > >>>>> !! AND your using the DC's only as DC's. !! > >>>>> > >>>>> Then this incorrect mapping can be ignored, at least im ignoring it, > >>>>> since very thing is tested and works fine. > >>>>> > >>>>> But im thinking of settings a separated range for the BUILDIN > >>>>> > >>>>> A setup something like : > >>>>> > >>>>> idmap_ldb:use rfc2307 = yes > >>>>> > >>>>> ## map id's outside to domain to tdb files. > >>>>> ## use for local (linux only ) users > >>>>> idmap config * : backend = tdb > >>>>> idmap config * : range = 2000-9999 > >>>>> > >>>>> ## map ids from the domain and (*) the range may not > overlap > >> ! > >>>>> ## the NTDOMAIN range id mappings > >>>>> idmap config NTDOMAIN : backend = ad > >>>>> idmap config NTDOMAIN : schema_mode = rfc2307 > >>>>> idmap config NTDOMAIN : range = 10000-2999999 > >>>>> > >>>>> ## map ids from BUILDIN ( LOCAL SYSTEM ) > >>>>> ## > >>>>> idmap config BUILDIN : backend = ad > >>>>> idmap config BUILDIN : schema_mode = rfc2307 > >>>>> idmap config BUILDIN : range = 3000000-3999999 > >>>>> > >>>>> Sometimes, and if you see from within windows security rights like : > >>>>> NTDOMAIN\administrators > >>>>> Which should be > >>>>> BUILDIN\administrators > >>>>> > >>>>> Anyone any suggestion about setting an extra BUILDIN range for the > >>>>> Local Computer/System. > >>>>> > >>>>> > >>>>> > >>>>> Greetz, > >>>>> > >>>>> Louis > >>>>> > >>>>> > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mj > >>>>>> Verzonden: woensdag 22 juni 2016 13:59 > >>>>>> Aan: samba at lists.samba.org > >>>>>> Onderwerp: Re: [Samba] Rights issue on GPO > >>>>>> > >>>>>> > >>>>>> > >>>>>> On 06/22/2016 01:44 PM, mj wrote: > >>>>>>> And then perhaps we also need to set the idmap ranges on the DCs? > I > >>>>>>> thought they were only for the domain member servers... > >>>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD > >>>>>> > >>>>>> :-) > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>> > >>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN > >>>> like others? > >>>> > >>>> getfacl: Removing leading '/' from absolute path names > >>>> # file: usr/local/samba/var/locks/sysvol/ > >>>> # owner: root > >>>> # group: 3000000 > >>>> user::rwx > >>>> user:root:rwx > >>>> user:3000000:rwx > >>>> user:3000001:r-x > >>>> user:3000002:rwx > >>>> user:3000003:r-x > >>>> group::rwx > >>>> group:3000000:rwx > >>>> group:3000001:r-x > >>>> group:3000002:rwx > >>>> group:3000003:r-x > >>>> mask::rwx > >>>> other::--- > >>>> default:user::rwx > >>>> default:user:root:rwx > >>>> default:user:3000000:rwx > >>>> default:user:3000001:r-x > >>>> default:user:3000002:rwx > >>>> default:user:3000003:r-x > >>>> default:group::--- > >>>> default:group:3000000:rwx > >>>> default:group:3000001:r-x > >>>> default:group:3000002:rwx > >>>> default:group:3000003:r-x > >>>> default:mask::rwx > >>>> default:other::--- > >>>> > >>> What version of Samba is this ? > >>> > >>> Rowland > >>> > >>> > >> samba -V > >> Version 4.4.4 > >> > >> > >> -- > >> -James > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > @Louis as you can see pretty basic. This is the same across all DC's in > the forest. > > # Global parameters > [global] > workgroup = DOMAIN > realm = DOMAIN.LOCAL > netbios name = PFDC1 > server role = active directory domain controller > dns forwarder = 8.8.8.8 > idmap_ldb:use rfc2307 = Yes > > log file = /usr/local/samba/var/log.samba > logging = syslog at 2 file > debug uid = Yes > debug pid = Yes > > allow dns updates = nonsecure > > load printers = No > printcap name = /dev/null > disable spoolss = Yes > > ldap server require strong auth = no > tls verify peer = ca_and_name > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > -- > -James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba