<snip> Hi Rowland - I've spent the past few days going over the wiki and mailing lists. I think I've got the hang of idmaps. May I clarify a couple of things: ~ I have two DC's and one large fileserver (member). I'm using the 'ad' backend. ~ The only only windows group that needs a gidNumber attribute is Domain Users to map this across to the member server. ~ Other standard domain groups shouldn't be mapped across, especially Domain Admins(!) due to e.g. sysvol ownership ~ I may add my own domain user/group to the DC's and add uid/gid to the attributes (avoiding overlapping ranges between domains, and avoiding the standard xid 3000000 range for builtin accounts). ~ I use the idmap parameters in smb.conf on the member server to map the newly added users/groups across to the member server I think this is correct and my domain seems healthy. All good!. My one remaining question concerns examples presented in the wiki - they routinely use 'Domain Admin' as an example for aspects such as setting up shares and permissions. I think this is where I have become unstuck in the past. If I setup the domain as per my understanding, Domain Admins cannot be used as in the example given in https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs because its gid is not mapped (and should not typically be mapped). You gave me some good alternative advice, which I have used in my new domain, to create new admin groups that are members of Domain Admins. These new admin groups are given gids, and all is good. But I can't help thinking that example in the wiki is mis-leading?? It seems that anyone who follows this example with a member server will experience the gid mapping issues... BTW - just wanted to offer a huge thanks for helping me out with this. -- Rob Mason
Hai, I still dont understand the fuss about "domain admins" and no GID because im running this for 3 years now. So... Again what was the problem here, i dont remember it.. (sorry) In my opinion, the problem is not "domain admins", the problem is Administrator. And because if that you need an other "administrator user", that is a copy of Administrator its settings. AND this user must have a UID but thats my vision about this problem. I'll tell why this is my vision on the problem. idmapping these 2. DOMAIN BUILTIN And the diversity of options in setting up and different samba versions.. Which is the main problem in my opinion. There should not be any "DOMAIN ADMINS" on sysvol. Simple as that. This is a sysvol default : ( this might be a bit off, but as example ) NT AUTHORITY\Authenticated Users:(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(GR,GE) BUILTIN\Server Operators:(RX) BUILTIN\Server Operators:(OI)(CI)(IO)(GR,GE) BUILTIN\Administrators:(M,WDAC,WO) BUILTIN\Administrators:(OI)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M,WDAC,WO) CREATOR OWNER:(OI)(CI)(IO)(F) Where is domain admins, its not there, why... Because "domain admins" is member of : BUILTIN\Administrators> > <snip> > > Hi Rowland - I've spent the past few days going over the wiki > and mailing lists. I think I've got the hang of idmaps. May I > clarify a couple of things: > > ~ I have two DC's and one large fileserver (member). I'm using the 'ad' backend. > ~ The only only windows group that needs a gidNumber attribute is Domain Users to map this across to the member server.This depends all on you need. My domain admins.. : getent group "domain admins" domain admins:x:10001:administrator,otherADMINuser getent group "domain users" domain users:x:10000:..(removed) getent group "domain guests" domain guests:x:10002:guest> ~ Other standard domain groups shouldn't be mapped across, especially Domain Admins(!) due to e.g. sysvol ownershipThis not a problem, if configured correctly, but you just cant use users ADMINISTRATOR to set things here. It must be OtherAdmin> ~ I may add my own domain user/group to the DC's and add uid/gid to the attributes (avoiding overlapping ranges between domains, and avoiding the standard xid 3000000 range for builtin accounts). > ~ I use the idmap parameters in smb.conf on the member server to map the newly added users/groups across to the member server > > I think this is correct and my domain seems healthy. All good!.All good as far i can see.> > My one remaining question concerns examples presented in the wiki - they routinely use 'Domain Admin' as an example for aspects such as setting up shares and permissions. > I think this is where I have become unstuck in the past. If I setup the domain as per my understanding, Domain Admins cannot be used as in the example given in > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs because its gid is not mapped (and should not typically be mapped).This depends, in your example, you run AD backend. If you set 1 member with RID, then sure works fine. This: # chown root:"Domain Admins" /srv/samba/Demo/ # chmod 0770 /srv/samba/Demo/ Might be better shown as : # chown root:"Domain Admins" /srv/samba/Demo/ # chmod 1770 /srv/samba/Demo/ Or even better # chown otherAdmin:"Domain Admins" /srv/samba/Demo/ # chmod 3770 /srv/samba/Demo/ Why chmod 1770 (or 3770) It adds creator owner and creator group to the windows ACL. 1XXX creator owner 2XXX creator group 3XXX creator owner and creator group But again this also depends on how you setup and what you want to run. Think in, you have 1000 options and 3 are perfect for you. Think ahead what you want todo with samba and how you want to use is, this is very important. For example, i want adding samba AD to my kodi machine, didnt think about anything.. Resulted in, running samba standalone with guest shares again... :-/ Why, i did not think about the setup first.> > You gave me some good alternative advice, which I have used > in my new domain, to create new admin groups that are members > of Domain Admins. These new admin groups are given gids, and > all is good. But I can't help thinking that example in the > wiki is mis-leading?? It seems that anyone who follows this > example with a member server will experience the gid mapping issues... > > BTW - just wanted to offer a huge thanks for helping me out with this. > > > -- > Rob Mason > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Greetz, Louis
On Tue, 8 Jan 2019 08:42:40 +0000 Rob Mason <rob at acasta.co.uk> wrote:> > <snip> > > Hi Rowland - I've spent the past few days going over the wiki and > mailing lists. I think I've got the hang of idmaps. May I clarify a > couple of things: > > ~ I have two DC's and one large fileserver (member). I'm using the > 'ad' backend. ~ The only only windows group that needs a gidNumber > attribute is Domain Users to map this across to the member server. ~Yes> Other standard domain groups shouldn't be mapped across, especially > Domain Admins(!) due to e.g. sysvol ownership ~There is absolutely no need to give any windows user or group a uidNumber or gidNumber, unless you want them to be also a Unix user or group. None of the 'Well Know SIDs' needs to be a Unix user or group.>I may add my own domain user/group to the DC's and add uid/gid to the attributes > (avoiding overlapping ranges between domains, and avoiding the > standard xid 3000000 range for builtin accounts).Yes, as I said above, adding a uidNumber or gidNumber to a Windows user or group turns them into a Unix user or group, provided you use the 'ad' backend on Unix domain members.>~ I use the idmap parameters in smb.conf on the member server to map > the newly added users/groups across to the member server > > I think this is correct and my domain seems healthy. All good!.Good ;-)> > My one remaining question concerns examples presented in the wiki - > they routinely use 'Domain Admin' as an example for aspects such as > setting up shares and permissions. I think this is where I have > become unstuck in the past. If I setup the domain as per my > understanding, Domain Admins cannot be used as in the example given > in > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs > because its gid is not mapped (and should not typically be mapped).I didn't write that and it is from experiments in trying to fix sysvolreset that lead me to the conclusion that giving Domain Admins a gidNumber was a BAD idea, it just turned it into a group and a group cannot own things on Unix.> > You gave me some good alternative advice, which I have used in my new > domain, to create new admin groups that are members of Domain Admins. > These new admin groups are given gids, and all is good. But I can't > help thinking that example in the wiki is mis-leading?? It seems that > anyone who follows this example with a member server will experience > the gid mapping issues...I will fix the wiki, as soon as I can Rowland
On Tue, 8 Jan 2019 10:36:49 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > I still dont understand the fuss about "domain admins" and no GID > because im running this for 3 years now. So... Again what was the > problem here, i dont remember it.. (sorry)The problem is that you use Administrators instead of Domain Admins, which, if you think about it, is the same as using another group instead of Domain Admins. Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: dinsdag 8 januari 2019 11:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] idmap problems > > On Tue, 8 Jan 2019 10:36:49 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > Hai, > > > > I still dont understand the fuss about "domain admins" and no GID > > because im running this for 3 years now. So... Again what was the > > problem here, i dont remember it.. (sorry) > > The problem is that you use Administrators instead of Domain Admins, which, if you think about it, is the same as using another group instead of Domain Admins.No, thats not the problem.. Im using it as Windows designed it by default. Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\Domain admins is member of Builtin\Adminsitrators Now your idee.. Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\ANY group but is not default a member of Builtin\Adminsitrators Go here https://docs.microsoft.com/nl-nl/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory#appendix-b-privileged-accounts-and-groups-in-active-directory-1 Checkout Table B-1: User Rights and Privileges Table B-1: Built-in and Default Accounts and Groups in Active Directory The importent parts are the "Direct user rights" and "Inherited user rights." That might help you understanding what im trying to say. My setup is a set as close as possible to a windows domain setup. Im thinking in .. ADDC-server BUILTIN <-> NTDOM <-> Workstations/users Not ADDC-server NTDOM <-> Workstations/users ( the reflex more to a member server ) And not ADDC-server BUILTIN <-> Workstations/users ( this reflex more to a standalone server ) Greet, Louis
On Tue, 8 Jan 2019 12:38:22 +0100 L.P.H. van Belle <belle at bazuin.nl> wrote:> > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland Penny via samba > > Verzonden: dinsdag 8 januari 2019 12:18 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] idmap problems > > > > On Tue, 8 Jan 2019 11:56:10 +0100 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > > > > > -----Oorspronkelijk bericht----- > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > > > Rowland Penny via samba > > > > Verzonden: dinsdag 8 januari 2019 11:13 > > > > Aan: samba at lists.samba.org > > > > Onderwerp: Re: [Samba] idmap problems > > > > > > > > On Tue, 8 Jan 2019 10:36:49 +0100 > > > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > > > > > > > > Hai, > > > > > > > > > > I still dont understand the fuss about "domain admins" > > and no GID > > > > > because im running this for 3 years now. So... Again > > what was the > > > > > problem here, i dont remember it.. (sorry) > > > > > > > > The problem is that you use Administrators instead of Domain > > > > Admins, which, if you think about it, is the same as using > > > > another group instead of Domain Admins. > > > No, thats not the problem.. Im using it as Windows designed it by > > > default. > > > > I do not think you are ;-) > Ow i do think i am, ok, i lost my MCSE certification but i did have > it. I've designed windows AD's since win2000I bow to superior knowledge ;-)> > > > > > > > > Builtin\Adminsitrators != "DOMAIN\Domain Admins" > > > > That is perfectly obvious. > > > > >and DOM\Domain admins is member of Builtin\Adminsitrators > > > > Again correct > > > > > > > > Now your idee.. > > > Builtin\Adminsitrators != "DOMAIN\Domain Admins" and DOM\ANY group > > > but is not default a member of Builtin\Adminsitrators > > > > I am prepared to accept adding DOM\ANY to BUILTIN\Administrators, > > but is it really any different to adding it to DOMAIN\Domain > > Admins, when DOMAIN\Domain Admins is a member of > > BUILTIN\Administrators ? > In my opinion yes, if you dont add it in "domain admins" you missing > inhereted rights.I thought that an object inherited rights from the object above it i.e. nested groups So a group that is a member of Domain Admins would have the same rights as Administrators, because Domain Admins is a member of Administrators, or am I missing something ??? Rowland