samba - May 2023 - More on sysvol maintenance

I never got this right? :(

Which option is safer ? This is a production environment. All users and groups
have bid / guid numbers.

Will removing guid from domain admins break anything else ? I use my own
username mad\Luis (domain admin) to do stuff??on the domain and member servers.
Most shares have full permission for domain admins. Will this break anything?

I also never got to??properly work the user.map as in

username map = /usr/local/samba/etc/user.map

With content

!root = SAMDOM\Administrator

Is this needed for DCs also ?

Thanks Rowland for your patience.
On 24 May 2023 at 17:32 +0200, samba at lists.samba.org,
wrote:
>
> Remove 'idmap_ldb:use rfc2307 = yes' from your DC's smb.conf ,
this will
> allow the DC to ignore the rfc2307 attributes (all of them) and Domain
> Admims will become a Windows group again (you will probably need to run
> 'net cache flush')
>
> Remove the gidNumber attribute from Domain Admins

On 24/05/2023 16:48, Luis Peromarta wrote:
> I never got this right? :(
> 
> Which option is safer ? This is a production environment. All users and 
> groups have bid / guid numbers.
> 
> Will removing guid from domain admins break anything else ? 
I take it that by guid, you actually mean gidNumber, a guid is something 
else entirely.

> I use my own 
> username mad\Luis (domain admin) to do stuff??on the domain and member 
> servers. Most shares have full permission for domain admins. Will this 
> break anything?
> 
> I also never got to??properly work the user.map as in
> 
> username map = /usr/local/samba/etc/user.map
> 
> With content
> 
> !root = SAMDOM\Administrator
That should work on a Unix domain member, unless you have given 
Administrator a uidNumber attribute.
> 
> Is this needed for DCs also ?
No, something similar is done in idmap.ldb

Lets see if I can explain it a bit better :-)

Users and groups in AD are unknown to Unix, which is where Samba comes 
in. Samba allows you to map AD users and groups to Unix users and 
groups. You can do this globally by using the 'ad' backend on Unix 
domain members, which requires adding uidNumber and gidNumber attributes 
to AD. Or you can use the rid or autorid idmap backends, which don't 
require adding anything to AD.

The problem with using the 'ad' backend is that there is another backend
that is used on a DC: idmap.ldb. If you do add uidNumber and gidNumber 
attributes to AD, then these will override the xidNumber attributes in 
idmap.ldb and for most things, this will not be a problem, except for 
the groups in idmap.ldb that are also ID_TYPE_BOTH. Being ID_TYPE_BOTH 
means that a group is also a user (as far as Unix is concerned) and can 
own files and directories, one of these groups is Domain Admins.

If Domain Admins isn't both a group and a user, it cannot own anything 
in sysvol and the group needs to.

As I said, two ways around this, do not set 'idmap_ldb:use rfc2307 = 
yes' in the DC's smb.conf and the gidNumber attributes will be ignored. 
Or do not give Domain Admins a gidNumber and create another group to use 
on Unix instead of Domain Admins.

Rowland