samba - May 2023 - More on sysvol maintenance

On 24/05/2023 16:12, Luis Peromarta via samba wrote:
> Yes and yes, 1007
> On 24 May 2023 at 17:07 +0200, samba at lists.samba.org, wrote:
>>
>> Are you by any chance using rfc2307 attributes and if so, have you
given
>> Domain Admins a gidNumber ?
OK, then I suggest you write out 100 times:

I must read the Samba wiki

Particularly this page:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs#Granting_the_SeDiskOperatorPrivilege_Privilege

Windows has this quaint idea that groups can own things, Unix hasn't. 
When you gave Domain Admins a gidNumber, you turned it from a Windows 
group into a Unix group.

You now have two options:

Remove 'idmap_ldb:use rfc2307 = yes' from your DC's smb.conf , this
will
allow the DC to ignore the rfc2307 attributes (all of them) and Domain 
Admims will become a Windows group again (you will probably need to run 
'net cache flush')

Remove the gidNumber attribute from Domain Admins

Rowland

I never got this right? :(

Which option is safer ? This is a production environment. All users and groups
have bid / guid numbers.

Will removing guid from domain admins break anything else ? I use my own
username mad\Luis (domain admin) to do stuff??on the domain and member servers.
Most shares have full permission for domain admins. Will this break anything?

I also never got to??properly work the user.map as in

username map = /usr/local/samba/etc/user.map

With content

!root = SAMDOM\Administrator

Is this needed for DCs also ?

Thanks Rowland for your patience.
On 24 May 2023 at 17:32 +0200, samba at lists.samba.org,
wrote:
>
> Remove 'idmap_ldb:use rfc2307 = yes' from your DC's smb.conf ,
this will
> allow the DC to ignore the rfc2307 attributes (all of them) and Domain
> Admims will become a Windows group again (you will probably need to run
> 'net cache flush')
>
> Remove the gidNumber attribute from Domain Admins