On Tue, 7 Mar 2017 10:26:03 -0800 Kris Lou via samba <samba at lists.samba.org> wrote:> Hang on, can you explain this a little further? I thought that Domain > Admins was issued gidNumber 512 by default. In addition, sysvolreset > is not recommended to fix potential SysVol replication problems with > GPO perms? >No Domain Admins doesn't get gidNumber 512 by default, it gets the 'RID' 512 by default, bit of a difference there. Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a group and a user and therefore is able to own files etc on Unix. If you then give Domain Admins a gidNumber, it becomes just a group and cannot own files as a user does. Domain Admins needs to own files in sysvol as a user, but sysvolreset seems to change the ACLs set when a GPO is added on a windows machine. It is my recommendation to not give Domain Admins a gidNumber and not to run sysvolreset if you add any GPOs. Rowland
On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:> It is my recommendation to not give Domain Admins a gidNumber and not > to run sysvolreset if you add any GPOs.anybody who uses idmap ad on a samba member server should give domain users and domain admins a gidnumber actually. This does not affect sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307, what I would not recommend to do. Björn
On Mon, 20 Mar 2017 15:27:33 +0100 Björn JACKE via samba <samba at lists.samba.org> wrote:> On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off: > > It is my recommendation to not give Domain Admins a gidNumber and > > not to run sysvolreset if you add any GPOs. > > anybody who uses idmap ad on a samba member server should give domain > users and domain admins a gidnumber actually. This does not affect > sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307, > what I would not recommend to do. > > Björn >Hi Bjorn, You can recommend not doing something until you are blue in the face, but you will not stop people doing it. ;-) If you give Domain Admins a gidNumber, it breaks the mapping in idmap.ldb and stops Domain Admins being able to own files and dirs in sysvol and Domain Admins needs to own files and dirs in sysvol. Rowland
Im questioning this because of the following. What is "Domain Admins" doing with rights on SYSVOL anyway.. ?? There should not be any "domain admins" at all on sysvol share and security rights. But to overcome the problem explained below. You can use : acl_xattr:ignore system acls = yes And make sure sysvol and/or netlogon are windows only shares and not used by any unix/linux/mac clients. Set : acl_xattr:ignore system acls = yes In the share sysvol and/or netlogon Now in addition, as told, if setup correcly, you dont see any "Domain Admins" on sysvol. Sysvol Share permissions set to "Everyone" Read "Authenticated Users" Full Control. DOMAIN\Administrators ( same as "BUILDIN\Administrators" ) Full Controll And for the folder setttings. CREATOR OWNER Special rights. Authenticated Users Read SYSTEM Full control. DOMAIN\Administrators R&E, LFC, READ, WRITE DOMAIN\Server Operators R&E, LFC, READ Now its no problem to give these a gid anymore. Domain Users Domain Admins Domain Guest Domain Computers And as bjorn suggested, you do give the groups an id. And when its all set, DONT run resetsysvol again when you do that, you must set the share and security rights again. And all my servers run with : idmap_ldb:use rfc2307 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny via > samba > Verzonden: maandag 20 maart 2017 15:44 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Problem sysvolreset > > On Mon, 20 Mar 2017 15:27:33 +0100 > Björn JACKE via samba <samba at lists.samba.org> wrote: > > > On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off: > > > It is my recommendation to not give Domain Admins a gidNumber and > > > not to run sysvolreset if you add any GPOs. > > > > anybody who uses idmap ad on a samba member server should give domain > > users and domain admins a gidnumber actually. This does not affect > > sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307, > > what I would not recommend to do. > > > > Björn > > > > Hi Bjorn, > You can recommend not doing something until you are blue in the face, > but you will not stop people doing it. ;-) > > If you give Domain Admins a gidNumber, it breaks the mapping in > idmap.ldb and stops Domain Admins being able to own files and dirs in > sysvol and Domain Admins needs to own files and dirs in sysvol. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On Tue, 21 Mar 2017 16:24:31 +0100 L.P.H. van Belle <belle at bazuin.nl> wrote:> Hai Rowland, > > Can post your exact command you used, so im sure i dont get different > outputs. >OK, on a windows 21012R2 DC: Get-Acl C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-4E270488EDE4}' | Format-List NOTE: The above is all one line. Which leads to this output: Path :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-4E270488EDE4} Owner : HOME\Domain Admins Group : HOME\Domain Admins Access : CREATOR OWNER Allow FullControl NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize NT AUTHORITY\SYSTEM Allow FullControl HOME\Domain Admins Allow FullControl HOME\Enterprise Admins Allow FullControl Audit : Sddl : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519) Rowland