Hehehehe. I'm trying to get courage to update to 4.6. And i saw that version 4.5.x had a change about ntlmv1 and i use it to auth vpn and wifi users. I need to test before put in production environment. Thanks! 2017-03-07 14:32 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 7 Mar 2017 14:21:38 -0300 > Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote: > > > Can you tell me what are correct permissions to set at sysvol in > > order to work and how to solve that problem with 'Domain admins' uid ? > > It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving > Domain Admins a gidNumber only makes it worse. > How to fix it ? Remove the GPO and then add it again, then NEVER use > sysvolreset again. > > > > > I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to > > correct this issue before. > > Why stop at 4.4.10 ? 4.6.0 was released today ;-) > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- ------------------------------------------- Edson Tadeu Almeida Silveira http://sites.google.com/site/edsontadeu/ -------------------------------------------
On Tue, Mar 7, 2017 at 9:32 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving > Domain Admins a gidNumber only makes it worse. > How to fix it ? Remove the GPO and then add it again, then NEVER use > sysvolreset again. > >Hang on, can you explain this a little further? I thought that Domain Admins was issued gidNumber 512 by default. In addition, sysvolreset is not recommended to fix potential SysVol replication problems with GPO perms? Kris Lou klou at themusiclink.net On Tue, Mar 7, 2017 at 9:42 AM, Edson Tadeu Almeida da Silveira via samba < samba at lists.samba.org> wrote:> Hehehehe. > > I'm trying to get courage to update to 4.6. > > And i saw that version 4.5.x had a change about ntlmv1 and i use it to auth > vpn and wifi users. I need to test before put in production environment. > > > Thanks! > > > 2017-03-07 14:32 GMT-03:00 Rowland Penny via samba <samba at lists.samba.org > >: > > > On Tue, 7 Mar 2017 14:21:38 -0300 > > Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote: > > > > > Can you tell me what are correct permissions to set at sysvol in > > > order to work and how to solve that problem with 'Domain admins' uid ? > > > > It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving > > Domain Admins a gidNumber only makes it worse. > > How to fix it ? Remove the GPO and then add it again, then NEVER use > > sysvolreset again. > > > > > > > > I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to > > > correct this issue before. > > > > Why stop at 4.4.10 ? 4.6.0 was released today ;-) > > > > Rowland > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > ------------------------------------------- > Edson Tadeu Almeida Silveira > http://sites.google.com/site/edsontadeu/ > ------------------------------------------- > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 7 Mar 2017 10:26:03 -0800 Kris Lou via samba <samba at lists.samba.org> wrote:> Hang on, can you explain this a little further? I thought that Domain > Admins was issued gidNumber 512 by default. In addition, sysvolreset > is not recommended to fix potential SysVol replication problems with > GPO perms? >No Domain Admins doesn't get gidNumber 512 by default, it gets the 'RID' 512 by default, bit of a difference there. Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a group and a user and therefore is able to own files etc on Unix. If you then give Domain Admins a gidNumber, it becomes just a group and cannot own files as a user does. Domain Admins needs to own files in sysvol as a user, but sysvolreset seems to change the ACLs set when a GPO is added on a windows machine. It is my recommendation to not give Domain Admins a gidNumber and not to run sysvolreset if you add any GPOs. Rowland
On Tue, 7 Mar 2017 17:17:47 -0300 Edson Tadeu Almeida da Silveira <edson.tadeu at gmail.com> wrote:> Rowland. > > I´m having a problem because i can´t remove 2 policy: Default Domain > Policy and Default Domain Controllers Policy. > > Do you know a way to repair this both? >They are the default policies, you shouldn't remove these, just any extra new ones. Rowland