Hi Rowland. But, samba automaticaly do this mapping. root at server:/usr/local/src/samba-4.4.10# id 'domain admins' uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins) groups=3000008(DOMAIN\domain admins) Because of this options in smb.conf: winbind enum users = yes winbind enum groups = yes Can i remove this mapping only for domain admin group? Thanks 2017-03-07 12:51 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 7 Mar 2017 12:23:59 -0300 > Edson Tadeu Almeida da Silveira via samba <samba at lists.samba.org> wrote: > > > > > > > > > # samba-tool gpo aclcheck -U Administrator > > > > Password for [DOMAIN\Administrator]: > > ERROR: Invalid GPO ACL > > O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO; > 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI; > 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > on path > > (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}), > > should be > > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)( > A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI; > 0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) > > > > > > This last error is happening to all my policies. After each police i > > repair, another one shows up with problem and i can´t delete all > > policies and recreate to test. > > > > Thanks for your help! > > > > > > Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-) > > Have you set a gidNumber for Domain Admins ? > If so remove it, Domain Admins needs to own files and dirs in sysvol > and if the group has a gidNumber it cannot. > > Note: > 'O:LA' = owner: Local Administrator > 'O:DA' = owner: Domain Admins > 'G:DA' = group: Domain Admins > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- ------------------------------------------- Edson Tadeu Almeida Silveira http://sites.google.com/site/edsontadeu/ -------------------------------------------
On Tue, 7 Mar 2017 13:16:23 -0300 Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:> Hi Rowland. > > But, samba automaticaly do this mapping. > > root at server:/usr/local/src/samba-4.4.10# id 'domain admins' > uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins) > groups=3000008(DOMAIN\domain admins) > > > Because of this options in smb.conf: > > winbind enum users = yes > winbind enum groups = yes > > Can i remove this mapping only for domain admin group?No and those options aren't doing the mapping. All they do is make 'getent passwd' & 'getent group' show all users and groups, without them, you will have to do 'getent passwd username' or 'getent group groupname'. You do not need them for Samba to work. The problem with the GPOs that you are adding is that Samba seems to think they should be set differently to what windows sets them to. Big hint here, don't use sysvolreset if you add any GPOs Rowland
Can you tell me what are correct permissions to set at sysvol in order to work and how to solve that problem with 'Domain admins' uid ? I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to correct this issue before. Thanks again Rowland. 2017-03-07 13:34 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 7 Mar 2017 13:16:23 -0300 > Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote: > > > Hi Rowland. > > > > But, samba automaticaly do this mapping. > > > > root at server:/usr/local/src/samba-4.4.10# id 'domain admins' > > uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins) > > groups=3000008(DOMAIN\domain admins) > > > > > > Because of this options in smb.conf: > > > > winbind enum users = yes > > winbind enum groups = yes > > > > Can i remove this mapping only for domain admin group? > > No and those options aren't doing the mapping. All they do is make > 'getent passwd' & 'getent group' show all users and groups, without > them, you will have to do 'getent passwd username' or 'getent group > groupname'. You do not need them for Samba to work. > > The problem with the GPOs that you are adding is that Samba seems to > think they should be set differently to what windows sets them to. > > Big hint here, don't use sysvolreset if you add any GPOs > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- ------------------------------------------- Edson Tadeu Almeida Silveira http://sites.google.com/site/edsontadeu/ -------------------------------------------