samba - Jun 2019 - Automatically assigning uidNumber / gidNumber attributes

Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
> On 07/06/2019 16:37, ?ukasz Michalski via samba wrote:
>> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>>
>>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>>> In this post, Rowland said "Oh good, 'Domain
Admins' doesn't have a
>>>> gidNumber attribute."
>>> Domain Admins is a group that must own files in Sysvol. Samba runs
>>> on Unix and groups cannot own files on Unix, so Domain Admins is
>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain
>>> Admins a group and a user. If you give Domain Admins a gidNumber
>>> attribute, it becomes just a group and cannot own files.
>>>>
>>
>> Now I am confused. Reading "Adding a share" on domain member
here:
>>
>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>>
>>
>> If with idmap-ad I do not set gidNumber to Domain Admins I will not
>> be able to chown to that group?
>>
>> Is it better to create other administrative group for managing file
>> permissions?
>>
>> Regards,
>> ?ukasz
>>
>>
> OK, I will add something to that page :)
>
> Domain Admins needs to own files in Sysvol, Domain Admins is a group
> and groups cannot own files on Unix. To counter this, Domain Admins is
> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and a
> user. If you give? Domain Admins a gidNumber, it breaks this mapping
> and it just becomes a group and, as I said, groups cannot own files on
> Unix ;-)
>
> I personally create a group called 'Unix Admins', give this group a
> gidNumber and make it a member of the 'Administrators' group.
>
> If you use the 'rid' backend, then you do not need to do anything.
Rowland,

this discussion was very useful to me and not obvious at all from the
existing documentation. Having recently assigned a uidNumber to
Administrator and a gidNumber to Domain Admins, how would I undo this?
ldbmodify and just remove the entries? Anything I need to change on the
two dcs? The permissions on the shares of the member servers are still
easily fixed at this point. Not sure about our print server with driver
download, though... Thanks,

Christian

On 11/06/2019 09:41, Christian via samba wrote:
> Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
>> On 07/06/2019 16:37, ?ukasz Michalski via samba wrote:
>>> On 05.06.2019 22:40, Rowland penny via samba wrote:
>>>>> https://lists.samba.org/archive/samba/2019-June/223478.html
>>>>> In this post, Rowland said "Oh good, 'Domain
Admins' doesn't have a
>>>>> gidNumber attribute."
>>>> Domain Admins is a group that must own files in Sysvol. Samba
runs
>>>> on Unix and groups cannot own files on Unix, so Domain Admins
is
>>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes
Domain
>>>> Admins a group and a user. If you give Domain Admins a
gidNumber
>>>> attribute, it becomes just a group and cannot own files.
>>> Now I am confused. Reading "Adding a share" on domain
member here:
>>>
>>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
>>>
>>>
>>> If with idmap-ad I do not set gidNumber to Domain Admins I will not
>>> be able to chown to that group?
>>>
>>> Is it better to create other administrative group for managing file
>>> permissions?
>>>
>>> Regards,
>>> ?ukasz
>>>
>>>
>> OK, I will add something to that page :)
>>
>> Domain Admins needs to own files in Sysvol, Domain Admins is a group
>> and groups cannot own files on Unix. To counter this, Domain Admins is
>> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a group and
a
>> user. If you give? Domain Admins a gidNumber, it breaks this mapping
>> and it just becomes a group and, as I said, groups cannot own files on
>> Unix ;-)
>>
>> I personally create a group called 'Unix Admins', give this
group a
>> gidNumber and make it a member of the 'Administrators' group.
>>
>> If you use the 'rid' backend, then you do not need to do
anything.
> Rowland,
>
> this discussion was very useful to me and not obvious at all from the
> existing documentation. Having recently assigned a uidNumber to
> Administrator and a gidNumber to Domain Admins, how would I undo this?
> ldbmodify and just remove the entries? Anything I need to change on the
> two dcs? The permissions on the shares of the member servers are still
> easily fixed at this point. Not sure about our print server with driver
> download, though... Thanks,
>
> Christian
>
>
Yes, the easiest way would be to use ldbmodify to delete the u/gidNumber 
attributes and provided you haven't deleted anything from idmap.ldb, 
they should go back to their original 'xidNumbers', though you will 
probably have to run 'net cache flush' on all Unix domain members.

Rowland

> Domain Admins is mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes
Domain Admins a group and a user.
I looked on a brand new test DC (with nss-winbind), and it looks like
it doesn't work right with winbind:

root at dc1# ls -l /var/lib/samba/sysvol/ad-test.vx/Policies/
total 16
drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 3000004 ADTEST\domain admins 4096 Jun 13 21:41
{6AC1786C-016F-11D2-945F-00C04FB984F9}

root at dc1# wbinfo --gid-info 3000004
ADTEST\domain admins:x:3000004:
root at dc1# wbinfo --uid-info 3000004
failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for uid 3000004


root at dc1# smbcacls -k //dc1/sysvol
ad-test.vx/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
REVISION:1
CONTROL:SR|PD|DP
OWNER:ADTEST\Domain Admins
GROUP:ADTEST\Domain Admins
ACL:ADTEST\Domain Admins:ALLOWED/OI|CI/FULL
ACL:ADTEST\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:ADTEST\Domain Admins:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ



On Tue, Jun 11, 2019 at 4:58 AM Rowland penny via samba
<samba at lists.samba.org> wrote:
>
> On 11/06/2019 09:41, Christian via samba wrote:
> > Am 07.06.2019 um 17:48 schrieb Rowland penny via samba:
> >> On 07/06/2019 16:37, ?ukasz Michalski via samba wrote:
> >>> On 05.06.2019 22:40, Rowland penny via samba wrote:
> >>>>>
https://lists.samba.org/archive/samba/2019-June/223478.html
> >>>>> In this post, Rowland said "Oh good, 'Domain
Admins' doesn't have a
> >>>>> gidNumber attribute."
> >>>> Domain Admins is a group that must own files in Sysvol.
Samba runs
> >>>> on Unix and groups cannot own files on Unix, so Domain
Admins is
> >>>> mapped as ID_TYPE_BOTH in idmap.ldb on the DC, this makes
Domain
> >>>> Admins a group and a user. If you give Domain Admins a
gidNumber
> >>>> attribute, it becomes just a group and cannot own files.
> >>> Now I am confused. Reading "Adding a share" on
domain member here:
> >>>
> >>>
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Adding_a_Share
> >>>
> >>>
> >>> If with idmap-ad I do not set gidNumber to Domain Admins I
will not
> >>> be able to chown to that group?
> >>>
> >>> Is it better to create other administrative group for managing
file
> >>> permissions?
> >>>
> >>> Regards,
> >>> ?ukasz
> >>>
> >>>
> >> OK, I will add something to that page :)
> >>
> >> Domain Admins needs to own files in Sysvol, Domain Admins is a
group
> >> and groups cannot own files on Unix. To counter this, Domain
Admins is
> >> mapped to 'ID_TYPE_BOTH' in idmap.ldb, this make it a
group and a
> >> user. If you give  Domain Admins a gidNumber, it breaks this
mapping
> >> and it just becomes a group and, as I said, groups cannot own
files on
> >> Unix ;-)
> >>
> >> I personally create a group called 'Unix Admins', give
this group a
> >> gidNumber and make it a member of the 'Administrators'
group.
> >>
> >> If you use the 'rid' backend, then you do not need to do
anything.
> > Rowland,
> >
> > this discussion was very useful to me and not obvious at all from the
> > existing documentation. Having recently assigned a uidNumber to
> > Administrator and a gidNumber to Domain Admins, how would I undo this?
> > ldbmodify and just remove the entries? Anything I need to change on
the
> > two dcs? The permissions on the shares of the member servers are still
> > easily fixed at this point. Not sure about our print server with
driver
> > download, though... Thanks,
> >
> > Christian
> >
> >
> Yes, the easiest way would be to use ldbmodify to delete the u/gidNumber
> attributes and provided you haven't deleted anything from idmap.ldb,
> they should go back to their original 'xidNumbers', though you will
> probably have to run 'net cache flush' on all Unix domain members.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba