Am 25.02.20 um 14:54 schrieb Rowland penny via samba:> On 25/02/2020 13:49, Stefan G. Weichinger via samba wrote: >> Am 25.02.20 um 14:30 schrieb Rowland penny via samba: >> >>> OK, I give in, I will alter the wiki page, if you use the 'rid' or >>> 'autorid'? backend, you can use Domain Admins, just do not give Domain >>> Admins a gidNumber. >> While you're at it ;-) >> >> It also isn't clear to me where "Unix Admins" comes from. > Out of my head ;-) >> >> I have to add that group on the DC, add my admin-users ... right? Then >> grant the SeDiskOperatorPrivilege ... then chgrp the files in the share? > > You do not need it, it is only required if using the winbind 'ad' > backend and only then if you don't want possible problems with sysvol.What? Now I *don't* need it? Sorry, can't follow here. So far I only was able to get that mostly working by doing "chown -R Administrator:10513" or so ... Right now I can't access the ACLs from windows at all (on that share, with DOM\Administrator) feels like a loop ....
On 25/02/2020 14:01, Stefan G. Weichinger via samba wrote:> Am 25.02.20 um 14:54 schrieb Rowland penny via samba: >> On 25/02/2020 13:49, Stefan G. Weichinger via samba wrote: >>> Am 25.02.20 um 14:30 schrieb Rowland penny via samba: >>> >>>> OK, I give in, I will alter the wiki page, if you use the 'rid' or >>>> 'autorid'? backend, you can use Domain Admins, just do not give Domain >>>> Admins a gidNumber. >>> While you're at it ;-) >>> >>> It also isn't clear to me where "Unix Admins" comes from. >> Out of my head ;-) >>> I have to add that group on the DC, add my admin-users ... right? Then >>> grant the SeDiskOperatorPrivilege ... then chgrp the files in the share? >> You do not need it, it is only required if using the winbind 'ad' >> backend and only then if you don't want possible problems with sysvol. > What? Now I *don't* need it?Bad choice of words there, you do not need 'Unix Admins', you can use 'Domain Admins' instead. You only need to use 'Unix Admins' if you use the winbind 'ad' backend and do not care if you mess up sysvol. If you add GPOs, then they can be owned by Domain Admins (something that normally cannot happen on Unix). This is because Domain Admins is mapped to 'ID_TYPE_BOTH' in idmap.ldb. If you give Domain Admins a gidNumber, it becomes just a group and cannot own anything in sysvol. On a Unix domain member using the 'rid' backend, the mapping is done locally and does not affect idmap.ldb.> > Sorry, can't follow here. > > So far I only was able to get that mostly working by doing "chown -R > Administrator:10513" or so ... > > Right now I can't access the ACLs from windows at all (on that share, > with DOM\Administrator) > > feels like a loop ....Possibly a German loop ;-) Rowland
Am 25.02.20 um 15:16 schrieb Rowland penny via samba:> On 25/02/2020 14:01, Stefan G. Weichinger via samba wrote: >> Am 25.02.20 um 14:54 schrieb Rowland penny via samba: >>> You do not need it, it is only required if using the winbind 'ad' >>> backend and only then if you don't want possible problems with sysvol. >> What? Now I *don't* need it? > > Bad choice of words there, you do not need 'Unix Admins', you can use > 'Domain Admins' instead. You only need to use 'Unix Admins' if you use > the winbind 'ad' backend and do not care if you mess up sysvol. > > If you add GPOs, then they can be owned by Domain Admins (something that > normally cannot happen on Unix). This is because Domain Admins is mapped > to 'ID_TYPE_BOTH' in idmap.ldb. If you give Domain Admins a gidNumber, > it becomes just a group and cannot own anything in sysvol. On a Unix > domain member using the 'rid' backend, the mapping is done locally and > does not affect idmap.ldb.Hm, I understand that partially, it seems. Fact is that I can't edit the share from within Windows with the DOM\Administrator user right now. No read permissions .. That is bad ... That user is member of both DOM\IT and DOM\dom?nen-admins And should have the needed privilege: # net rpc rights list privileges SeDiskOperatorPrivilege -U "CUSTOMER\administrator" Enter CUSTOMER\administrator's password: SeDiskOperatorPrivilege: CUSTOMER\Administrator BUILTIN\Administrators CUSTOMER\IT