On Thu, 24 Aug 2017, Rowland Penny via samba wrote:> On Thu, 24 Aug 2017 12:41:36 +0200 > Sven Schwedas via samba <samba at lists.samba.org> wrote: > >> On 2017-08-24 12:27, Rowland Penny via samba wrote: > > I actually used worse words when I found out why I couldn't get my work > on the python code to work. ;-) > >> Does this apply only to sysvolreset or also when fixing ACLs from >> Windows? > > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in > idmap.ldb, this makes it able to own files and dirs in sysvol. The > moment you give 'Domain Admins' a gidNumber, you break this mapping and > the group becomes just a group and cannot own anything on a Unix > machine, so my recommendation is to not give the group a gidNumber, > create another group 'Unix Admins' ? give this group a gidNumber and > make this group a member of 'Domain Admins'So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares on the file servers I see that https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs says to grant SeDiskOperatorPrivilege to the Domain Admins group. If I follow Rowland's advice above and make a unix admins group, do I still grant SeDiskOperatorPrivilege to Domain Admins or do I grant SeDiskOperatorPrivilege to Unix Admins? I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I want to be sure. Also When I create the shares do I set the permissions to root:Unix Admins? If I do getent group "domain admins" nothing returns. Which I believe is because Domain Admins does not have a unix GID assigned. If I do: (vfs2 pts4) # getent group "unix admins" unix admins:x:10001: (vfs2 pts4) # That works. Since unix admins is a member of domain admins is that good enough? I am trying very hard to get this right but given all of these special cases and documentation that gives different advice, it is difficult at best. I would not have any chance of getting this working without all of the help on this list. Thank You!! Regards, -- Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org
On Thu, 31 Aug 2017 16:04:42 -0400 (EDT) me at tdiehl.org wrote:> On Thu, 24 Aug 2017, Rowland Penny via samba wrote: > > > On Thu, 24 Aug 2017 12:41:36 +0200 > > Sven Schwedas via samba <samba at lists.samba.org> wrote: > > > >> On 2017-08-24 12:27, Rowland Penny via samba wrote: > > > > I actually used worse words when I found out why I couldn't get my > > work on the python code to work. ;-) > > > >> Does this apply only to sysvolreset or also when fixing ACLs from > >> Windows? > > > > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in > > idmap.ldb, this makes it able to own files and dirs in sysvol. The > > moment you give 'Domain Admins' a gidNumber, you break this mapping > > and the group becomes just a group and cannot own anything on a Unix > > machine, so my recommendation is to not give the group a gidNumber, > > create another group 'Unix Admins' ? give this group a gidNumber and > > make this group a member of 'Domain Admins' > > So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers > running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares > on the file servers I see that > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > says to grant SeDiskOperatorPrivilege to the Domain Admins group. > > If I follow Rowland's advice above and make a unix admins group, do I > still grant SeDiskOperatorPrivilege to Domain Admins or do I grant > SeDiskOperatorPrivilege to Unix Admins? > > I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I > want to be sure.Basically, wherever the wikipage mentions 'Domain Admins' use 'Unix Admins' instead (you don't have to use a group called 'Unix Admins', it just seemed a logical name to me), so yes, you give both a gidNumber and 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also need to make 'Unix Admins' a member of 'Domain Admins'> > Also When I create the shares do I set the permissions to root:Unix > Admins?Yes, or 'Unix Admins' will not be able to do anything.> > If I do getent group "domain admins" nothing returns. Which I believe > is because Domain Admins does not have a unix GID assigned.Good, whilst 'Domain Admins' isn't used by the default GPOs, it is used (as an owner) by other GPOs you will add.> > If I do: > (vfs2 pts4) # getent group "unix admins" > unix admins:x:10001: > (vfs2 pts4) # > > That works. Since unix admins is a member of domain admins is that > good enough?Yes.> > I am trying very hard to get this right but given all of these > special cases and documentation that gives different advice, it is > difficult at best. I would not have any chance of getting this > working without all of the help on this list.If you compare what Samba sets 'sysvol' to, to what a Windows 2012R2 does, there are lots of differences, these don't really affect the default GPOs, but they do affect any other GPOs added and I cannot attempt to fix the python code until the underlying 'C' code is fixed, I cannot do this because I do not understand 'C' Rowland
On Thu, 31 Aug 2017, Rowland Penny via samba wrote:> On Thu, 31 Aug 2017 16:04:42 -0400 (EDT) > me at tdiehl.org wrote: > >> On Thu, 24 Aug 2017, Rowland Penny via samba wrote: >> >>> On Thu, 24 Aug 2017 12:41:36 +0200 >>> Sven Schwedas via samba <samba at lists.samba.org> wrote: >>> >>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: >>> >>> I actually used worse words when I found out why I couldn't get my >>> work on the python code to work. ;-) >>> >>>> Does this apply only to sysvolreset or also when fixing ACLs from >>>> Windows? >>> >>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in >>> idmap.ldb, this makes it able to own files and dirs in sysvol. The >>> moment you give 'Domain Admins' a gidNumber, you break this mapping >>> and the group becomes just a group and cannot own anything on a Unix >>> machine, so my recommendation is to not give the group a gidNumber, >>> create another group 'Unix Admins' ? give this group a gidNumber and >>> make this group a member of 'Domain Admins' >> >> So I have 2 Samba AD DCs running 4.7.0rc5 and 2 member file servers >> running samba-4.6.2-8.el7.x86_64 on Centos 7.4. In setting up shares >> on the file servers I see that >> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs >> says to grant SeDiskOperatorPrivilege to the Domain Admins group. >> >> If I follow Rowland's advice above and make a unix admins group, do I >> still grant SeDiskOperatorPrivilege to Domain Admins or do I grant >> SeDiskOperatorPrivilege to Unix Admins? >> >> I am thinking "Unix Admins" group needs SeDiskOperatorPrivilege but I >> want to be sure. > > Basically, wherever the wikipage mentions 'Domain Admins' use 'Unix > Admins' instead (you don't have to use a group called 'Unix Admins', it > just seemed a logical name to me), so yes, you give both a gidNumber > and 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also need to > make 'Unix Admins' a member of 'Domain Admins' > >> >> Also When I create the shares do I set the permissions to root:Unix >> Admins? > > Yes, or 'Unix Admins' will not be able to do anything. > >> >> If I do getent group "domain admins" nothing returns. Which I believe >> is because Domain Admins does not have a unix GID assigned. > > Good, whilst 'Domain Admins' isn't used by the default GPOs, it is used > (as an owner) by other GPOs you will add. > >> >> If I do: >> (vfs2 pts4) # getent group "unix admins" >> unix admins:x:10001: >> (vfs2 pts4) # >> >> That works. Since unix admins is a member of domain admins is that >> good enough? > > Yes.Thanks for the quick response. One more question, when I created the Unix Admins group using ADUC, I noticed that there was a place to add members on the Unix attributes tab. Should I be adding users there, on the members tab or both? Regards,. -- Tom me at tdiehl.org Spamtrap address me123 at tdiehl.org
Hai, Some comment on..> Basically, wherever the wikipage mentions 'Domain Admins' > use 'Unix Admins' instead (you don't have to use a group > called 'Unix Admins', it just seemed a logical name to me), > so yes, you give both a gidNumber and > 'SeDiskOperatorPrivilege' to 'Unix Admins', you will also > need to make 'Unix Admins' a member of 'Domain Admins' >I dont agree here and i explain why but correct where needed if you dont agree. Do explain please so we can all learn from it. Keep in mind here also, i try to reflex ms windows as close as possible where possible. Remember things like this, this is not only for Administratos but involves all Default groups. 1) BUILTIN\Administrators ( Also seen as DOMAIN\Administrators or SERVERNAME\Administrators ) ( other groups like this, see OU=Builtin in you AD. ) 2) DOMAIN\Domain Admins 3) DOMAIN\Unix Admins ( as example ) 4) Use "winbind use default domain = yes", even when its not recommends, helps if you need linux access. 5) "winbind expand groups = 2" is minimal with this setup. samba default = 0. 6) To much nesting groups in depth, will slow down you samba. Extra comments on above. 1a) needs the SePrivileges. 2a) is always member of 1 ( but can have SePrivileges also, depends on the how/where/what ) 3a) can be anything name you want, add gid, etc. ( but can have SePrivileges also, depends on the how/where/what ) Imo, should be added to or domain admins, if you unix admins, are only allowed in domain things and local server. OR, if you should be able to every thing on you server and management throug RSAT tools, add (also) to BUILTIN\Adminstrators. 4a) only needed imo, whan you also "work" on Linux CLI. If you have only windows clients, you dont need it. 5a) No comment its as it says. 6a) Think in advance about your setup. I have my setup at max 4 nested groups. So, imo, this is best to match with "how" windows does its things. Just remember this also. 1) root is always Administrator ( 2) DOMAIN\Administrator should NEVER have any uid/gid 3) Create a new DOMAIN\Admin and give that one an UID. 4) Pam in most case with kerberos sets a min UID=1000, so the "New" DOMAIN\Admin is able to login with ssh when it has an UID. Extra comment on above. 1a) user Administrator workaround, without it you are unable to set privileges so yes, username map = /etc/samba/samba_usermapping is really needed. And always set minimal : !root = DOMAIN\Administrator DOMAIN\administrator Optional : !root = DOMAIN\Administrator DOMAIN\administrator Administrator administrator (Personaly i only use the minimal setup because DOMAIN\Adminstrator IS NOT EQUAL TO Administrator, these are different users.) 2a) As it stats, Administrator, NEVER SET A UID/GID, it wil messup you server. Just dont do it. ( if you did, remove it, run : net cache flush and restart samba/winbind to make sure its gone, and check again.) 3a) This is preffered, if you create one, make sure you check for the same settings and groups as Administrator 4a) This is why you should create a new Admin, so you can login with ssh without changing system defaults. This is my personal preference, not changing defaults where possible, this helps in the long run. And now you know this, for you sysvolreset. Have a look here: https://github.com/thctlo/samba4 Im putting my wel tested script on github, and please improve my code where its possible. ;-) There are better coders here then me to be honest, i just have some good ideas now and then. Checkout : samba-check-set-sysvol.sh Tested by me and Rowland, on debian related servers. It tests SID to UID/GID , SID to NAME, NAME to SID and if all correct it sets the UID/GID rights for sysvol. And it setups the correct ( as closes to) rights for you sysvol. Any comments, yes please, but keep i nice if you dont agree, and explain why. Greetz, Louis