L.P.H. van Belle
2017-Jul-03 07:49 UTC
[Samba] Can't create/update Group Policy in Samba 4.6.5
Hai Marcio,> Can I remove Unix Attributes of the Administrator user and > other administrator groups (set up NIS Domain to "none") ?Yes, GID on Domain Admins, is not a problem, but UID on Administrator is a big problem. So yes, user Administrator remove all unix tab settings. ( Dont forget to run : net cache flush ) And dubble check with : id Administrator. A tip. For example, ( part of smb.conf member with AD backend. ) ## map id's outside to domain to tdb files. idmap config * :backend = tdb idmap config * :range = 2000-9999 ## map ids from the domain the range may not overlap ! idmap config NTDOM : backend = ad idmap config NTDOM : schema_mode = rfc2307 idmap config NTDOM : range = 10000-3999999 idmap config NTDOM : unix_nss_info = yes id username shows: uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001 Now there is one error in that line. (the last GID 2001 ) After running net cache flush: uid=10002(username) gid=10000(domain users) groups=10000(domain users),27(sudo),116(lpadmin),10004(servers-ssh),2001(BUILTIN\users) *(sample of member with AD backend setup) And this is correct: 2001(BUILTIN\users) I have assigned all my (domain) windows "default groups" an GID, but im using these on multiple servers. ( These defaults groups are "domain" users/guests/computers/admins. ) ! Think RID/AD, where you need the same id (GID) on every server. Most important. Tip, is no problem on a member to change RID to AD if needed, just change the backend, restart samba and winbind ! WATCH OUT FOR YOUR RIGTHS ON THE SERVERS!!! You will loose these if UID/GIDS change. Run: net cache flush. !! AGAIN YOU NEED TO REAPPLY ALL RIGHTS ON THE FILE SERVER AFTER CHANGING RID <> AD BACKENDS. Note, This does not apply for all setups, but users with multiple server should think about this. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marcio Demetrio Bacci via samba > Verzonden: maandag 3 juli 2017 2:04 > Aan: Miguel Medalha; samba at lists.samba.org > Onderwerp: Re: [Samba] Can't create/update Group Policy in Samba 4.6.5 > > Hi Miguel, >> > I have given SeDiskOperatorPrivilege to "Domain Admins" group. > > *net rpc rights grant "EMPRESA\Domain Admins" > SeDiskOperatorPrivilege -U > "EMPRESA\administrator"* > Enter EMPRESA\administrator's password: > Successfully granted rights. > > I have executed this following commands, but OS and Server are empty: > > *smbclient //localhost/netlogon -UAdministrator -c 'ls'* > Enter EMPRESA\Administrator's password: > Domain=[EMPRESA] OS=[] Server=[] > . D 0 Mon May 15 > 19:09:10 2017 > .. D 0 Sun Jul 2 > 17:07:24 2017 > > 39189944 blocks of size 1024. 34372144 blocks > available > > > *smbclient -L localhost -U%* > Domain=[EMPRESA] OS=[] Server=[] > > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > IPC$ IPC IPC Service (Samba 4.6.5) > Domain=[EMPRESA] OS=[] Server=[] > > Server Comment > --------- ------- > > Workgroup Master > --------- ------- > > Regards, > > Márcio Bacci > > > 2017-07-02 19:31 GMT-03:00 Miguel Medalha via samba > <samba at lists.samba.org>: > > > > 1) Who is '30056' ? 30056 is the Administrator user. > > Administrator should remain as ID0. > > > > > 2) Have you given 'Administrator' a uidNumber ? Yes, I > set up Unix > > > Attribute to Administrator and "Domain Admins", "Domain > Controllers" > > > > > > > and others groups. > > Don't do it. Administrator is a special case. > > > > > 3) Have you given 'Domain Admins' the 'SeDiskOperatorPrivilege' ? > > > No. Is necessary? > > Yes. > > > > You should follow this Samba Wiki guide: > > > > Setting up Samba as an Active Directory Domain Controller > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_ > > Active_Directory_Domain_Controller > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >