samba - May 2017 - Unable to set SeDiskOperatorPrivilege (again)

Hi Rowland,

Those low numbers you refer to are in fact the standard numbers assigned 
to those groups, so I fail to see the problem. As for mapping 
Administrator to root, I believe that's entirely optional, rather than 
required. Under normal circumstances we don't use the domain 
Administrator account at all. We have a root account we use instead.

In regard to winbind, we have never used it and there's a concern here 
that it may clash with our use of sssd, which is working great for all 
normal purposes. Using multiple authentication mechanisms against the 
same source can't be a good idea and, as you can see from my question, 
we have no trouble resolving users or groups normally.

Here's smb.conf from the test machine:

[global]
     security = ADS
     workgroup = MYDOMAIN
     realm = MYDOMAIN.COM.AU

     log file = /var/log/samba/%m.log
     log level = 1

     # Default ID mapping configuration for local BUILTIN accounts
     # and groups on a domain member. The default (*) domain:
     # - must not overlap with any domain ID mapping configuration!
     # - must use an read-write-enabled back end, such as tdb.
     idmap config * : backend = tdb
     idmap config * : range = 10000-19999

     vfs objects = acl_xattr
     map acl inherit = Yes
     store dos attributes = Yes

regards,
John


On 24/05/17 16:47, Rowland Penny via samba wrote:
> On Wed, 24 May 2017 13:34:27 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
>> There was a thread on this topic back in January and as far as I can
>> see it was never resolved.
> It has always worked for me, even when I used sssd.
> But there is no need to use sssd on a Unix domain member
>   
>> # getent group "Domain Admins"
>> Domain Admins:*:512:Administrator,user1,user2,user3
>>
>> # id Administrator
>> uid=10858(Administrator) gid=513(Domain Users) groups=513(Domain
>> Users),512(Domain Admins),10102(Enterprise Admins)
>>
>> # id "Domain Admins"
>> id: Domain Admins: No such user
>
> You seem to be using very low numbers for 'Domain Users' &
'Domain
> Admins'
>
> 'Domain Admins' is only a user on a DC (where it also a group)
>
> 'Administrator' shouldn't have a uidNumber, it should be mapped
to
> 'root'
>
> Can you post your smb.conf and are you willing to try using winbind.
>
> Rowland
>

On Thu, 25 May 2017 07:40:50 +1000
John Gardeniers via samba <samba at lists.samba.org> wrote:
> Hi Rowland,
> 
> Those low numbers you refer to are in fact the standard numbers
> assigned to those groups, so I fail to see the problem. 
Yes, they are standard numbers, they are standard RIDs and as such have
no place on Unix
> As for
> mapping Administrator to root, I believe that's entirely optional,
> rather than required. Under normal circumstances we don't use the
> domain Administrator account at all. We have a root account we use
> instead.
Yes, it is optional, but if you want to do things from windows, it
easier to use Administrator on windows that is mapped to root on the
Unix DC. The problems start when you give Administrator a uidNumber
that isn't '0'
> 
> In regard to winbind, we have never used it and there's a concern
> here that it may clash with our use of sssd, which is working great
> for all normal purposes. Using multiple authentication mechanisms
> against the same source can't be a good idea and, as you can see from
> my question, we have no trouble resolving users or groups normally.
Anything sssd can do, winbind can do, winbind is supported by Samba,
sssd isn't, if you want sssd support, try the sssd-users mailing list
> 
> Here's smb.conf from the test machine:
> 
> [global]
>      security = ADS
>      workgroup = MYDOMAIN
>      realm = MYDOMAIN.COM.AU
> 
>      log file = /var/log/samba/%m.log
>      log level = 1
> 
>      # Default ID mapping configuration for local BUILTIN accounts
>      # and groups on a domain member. The default (*) domain:
>      # - must not overlap with any domain ID mapping configuration!
>      # - must use an read-write-enabled back end, such as tdb.
>      idmap config * : backend = tdb
>      idmap config * : range = 10000-19999
Please don't use those numbers, '10000' is the default domain start
number on ADUC and there are nowhere near 9999 well know SIDS, plus if
you are not using winbind, you do not need those lines

Rowland

Hi Rowland,

You say that winbind can do anything that sssd can, yet I've not been 
able to find winbind instructions similar to these for sssd: 
http://jhrozek.livejournal.com/3860.html

Do you know of such instructions? More particularly, do you know how 
with winbind we can lock sudoers down to specific OUs? We need to do a 
lot more than basic authentication and simple file sharing. From both 
this thread and previous ones I suspect our environment is more complex 
that what you're familiar with.

regards,
John


On 25/05/17 08:17, Rowland Penny via samba wrote:
> On Thu, 25 May 2017 07:40:50 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
>> Hi Rowland,
>>
>> Those low numbers you refer to are in fact the standard numbers
>> assigned to those groups, so I fail to see the problem.
> Yes, they are standard numbers, they are standard RIDs and as such have
> no place on Unix
>
>> As for
>> mapping Administrator to root, I believe that's entirely optional,
>> rather than required. Under normal circumstances we don't use the
>> domain Administrator account at all. We have a root account we use
>> instead.
> Yes, it is optional, but if you want to do things from windows, it
> easier to use Administrator on windows that is mapped to root on the
> Unix DC. The problems start when you give Administrator a uidNumber
> that isn't '0'
>
>> In regard to winbind, we have never used it and there's a concern
>> here that it may clash with our use of sssd, which is working great
>> for all normal purposes. Using multiple authentication mechanisms
>> against the same source can't be a good idea and, as you can see
from
>> my question, we have no trouble resolving users or groups normally.
> Anything sssd can do, winbind can do, winbind is supported by Samba,
> sssd isn't, if you want sssd support, try the sssd-users mailing list
>
>> Here's smb.conf from the test machine:
>>
>> [global]
>>       security = ADS
>>       workgroup = MYDOMAIN
>>       realm = MYDOMAIN.COM.AU
>>
>>       log file = /var/log/samba/%m.log
>>       log level = 1
>>
>>       # Default ID mapping configuration for local BUILTIN accounts
>>       # and groups on a domain member. The default (*) domain:
>>       # - must not overlap with any domain ID mapping configuration!
>>       # - must use an read-write-enabled back end, such as tdb.
>>       idmap config * : backend = tdb
>>       idmap config * : range = 10000-19999
> Please don't use those numbers, '10000' is the default domain
start
> number on ADUC and there are nowhere near 9999 well know SIDS, plus if
> you are not using winbind, you do not need those lines
>
> Rowland
>
>

>
> Please don't use those numbers, '10000' is the default domain
start
> number on ADUC and there are nowhere near 9999 well know SIDS, plus if
> you are not using winbind, you do not need those lines

Have the "best" range for this, or can I use the defaults values
posted on
the wiki?

idmap config * : backend = tdb
idmap config * : range = *3000-7999*
...
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = *10000-999999*


On Wed, May 24, 2017 at 7:17 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 25 May 2017 07:40:50 +1000
> John Gardeniers via samba <samba at lists.samba.org> wrote:
>
> > Hi Rowland,
> >
> > Those low numbers you refer to are in fact the standard numbers
> > assigned to those groups, so I fail to see the problem.
>
> Yes, they are standard numbers, they are standard RIDs and as such have
> no place on Unix
>
> > As for
> > mapping Administrator to root, I believe that's entirely optional,
> > rather than required. Under normal circumstances we don't use the
> > domain Administrator account at all. We have a root account we use
> > instead.
>
> Yes, it is optional, but if you want to do things from windows, it
> easier to use Administrator on windows that is mapped to root on the
> Unix DC. The problems start when you give Administrator a uidNumber
> that isn't '0'
>
> >
> > In regard to winbind, we have never used it and there's a concern
> > here that it may clash with our use of sssd, which is working great
> > for all normal purposes. Using multiple authentication mechanisms
> > against the same source can't be a good idea and, as you can see
from
> > my question, we have no trouble resolving users or groups normally.
>
> Anything sssd can do, winbind can do, winbind is supported by Samba,
> sssd isn't, if you want sssd support, try the sssd-users mailing list
>
> >
> > Here's smb.conf from the test machine:
> >
> > [global]
> >      security = ADS
> >      workgroup = MYDOMAIN
> >      realm = MYDOMAIN.COM.AU
> >
> >      log file = /var/log/samba/%m.log
> >      log level = 1
> >
> >      # Default ID mapping configuration for local BUILTIN accounts
> >      # and groups on a domain member. The default (*) domain:
> >      # - must not overlap with any domain ID mapping configuration!
> >      # - must use an read-write-enabled back end, such as tdb.
> >      idmap config * : backend = tdb
> >      idmap config * : range = 10000-19999
>
> Please don't use those numbers, '10000' is the default domain
start
> number on ADUC and there are nowhere near 9999 well know SIDS, plus if
> you are not using winbind, you do not need those lines
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira