samba - May 2023 - More on sysvol maintenance

Okay here we go again. This is what I?ve done.

1.- Created Unix Admins groups
2.- Remove gidNumber from Domain Admins group (10007)
3.- Add gidNumber 10007 to Unix Admins
4.- Add Unix Admins to Domain admins group
5.- Add me MAD\Luis to Unix Admins. I am also into Domain Admins group.

I understand on the unix side of the member server, wherever before I read
Domain Admins, I will now read Unix Admins - no other damage done.

On DC2,?I was now able to run sysvolreset, all GPOs now are (no errors after
sysvolreset and no output from sysvolcheck)

8.0K drwxrwx---+??4 root?? ? ? ? ? ? ?BUILTIN\administrators 4.0K Nov??7??2022
..
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Apr 15 22:34
{0491EEAA-BF8A-43BE-98CA-72128C7EC0EA}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{06D5E045-DF21-45AA-962A-41CB3F665FCC}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{0723DCE9-C915-492A-9423-104BE034BCEF}
8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{0769489D-FC31-4244-AB87-4EE2C4E20CCC}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{0A529EA3-06B6-4FE1-BC51-AB793E6A4523}
8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{1111C19B-0CB9-4BA9-BFF1-3648F3862F93}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{31B2F340-016D-11D2-945F-00C04FB984F9}
8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{3548966F-440A-43D9-B05E-E681AD3B58F9}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{3B09CD87-EF3C-4959-A8E8-C82B95FB5148}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{69F60D78-F2EF-41F5-863A-4B7698D939BA}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{6AC1786C-016F-11D2-945F-00C04FB984F9}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{78ADF699-01E8-4F99-84B4-7EB4430E7105}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{790FBA77-CE1A-4B93-B66B-2A97880DE31D}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{90D103E0-3AA7-4A18-8E51-501F73658A1C}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??7??2022
{B0AC4C94-9949-4FC2-8F54-CAADFDAD95D4}
8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{B2250B1E-DDCC-4267-9816-D115CCF24735}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{B7D7E89E-002B-4FCB-80F8-534C2976483C}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Apr 15 22:10
{BE3B49C3-C557-4B1B-8B12-A1023D12D9D7}
8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{CA510ED6-934C-47FC-B81D-6942A39D3DE6}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{D2B5681B-E6B8-4B00-AF76-D81477BD19A6}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov??4??2022
{E285AB09-81A3-4AC8-9195-434B56F22D60}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov 28 11:20
{EB06228D-84E1-456F-8F88-06A36EA3EB4D}
8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Feb??1 17:13
{EC8AFE87-C57A-4AE7-A9FC-8A82CB8745DA}

Just as it should probably be.

Sysvol permissions :

./sysvol:
total 20K
8.0K drwxrwx---+??3 root BUILTIN\administrators 4.0K May 25 21:05 .
4.0K drwxr-xr-x??10 root root? ? ? ? ? ? ? ? ? ?4.0K May 25 20:40 ..
8.0K drwxrwx---+??4 root BUILTIN\administrators 4.0K Nov??7??2022 mad.mater.int

./sysvol/mad.mater.int:
total 32K
8.0K drwxrwx---+??4 root BUILTIN\administrators 4.0K Nov??7??2022 .
8.0K drwxrwx---+??3 root BUILTIN\administrators 4.0K May 25 21:05 ..
8.0K drwxrwx---+ 27 root BUILTIN\administrators 4.0K May 25 20:56 Policies
8.0K drwxrwx---+??2 root BUILTIN\administrators 4.0K Nov??4??2022 scripts

Are these right ?

I still can not change share permissions on the sysvol from Windows via computer
manager. I get a permission denied.

All the best,
On 24 May 2023 at 23:15 +0200, Rowland Penny via samba <samba at
lists.samba.org>, wrote:
>
>
> On 24/05/2023 16:48, Luis Peromarta wrote:
> > I never got this right? :(
> >
> > Which option is safer ? This is a production environment. All users
and
> > groups have bid / guid numbers.
> >
> > Will removing guid from domain admins break anything else ?
>
> I take it that by guid, you actually mean gidNumber, a guid is something
> else entirely.
>
>
> > I use my own
> > username mad\Luis (domain admin) to do stuff??on the domain and member
> > servers. Most shares have full permission for domain admins. Will this
> > break anything?
> >
> > I also never got to??properly work the user.map as in
> >
> > username map = /usr/local/samba/etc/user.map
> >
> > With content
> >
> > !root = SAMDOM\Administrator
>
> That should work on a Unix domain member, unless you have given
> Administrator a uidNumber attribute.
>
> >
> > Is this needed for DCs also ?
>
> No, something similar is done in idmap.ldb
>
> Lets see if I can explain it a bit better :-)
>
> Users and groups in AD are unknown to Unix, which is where Samba comes
> in. Samba allows you to map AD users and groups to Unix users and
> groups. You can do this globally by using the 'ad' backend on Unix
> domain members, which requires adding uidNumber and gidNumber attributes
> to AD. Or you can use the rid or autorid idmap backends, which don't
> require adding anything to AD.
>
> The problem with using the 'ad' backend is that there is another
backend
> that is used on a DC: idmap.ldb. If you do add uidNumber and gidNumber
> attributes to AD, then these will override the xidNumber attributes in
> idmap.ldb and for most things, this will not be a problem, except for
> the groups in idmap.ldb that are also ID_TYPE_BOTH. Being ID_TYPE_BOTH
> means that a group is also a user (as far as Unix is concerned) and can
> own files and directories, one of these groups is Domain Admins.
>
> If Domain Admins isn't both a group and a user, it cannot own anything
> in sysvol and the group needs to.
>
> As I said, two ways around this, do not set 'idmap_ldb:use rfc2307 >
yes' in the DC's smb.conf and the gidNumber attributes will be ignored.
> Or do not give Domain Admins a gidNumber and create another group to use
> on Unix instead of Domain Admins.
>
>

On 25/05/2023 20:21, Luis Peromarta via samba wrote:
> Okay here we go again. This is what I?ve done.
> 
> 1.- Created Unix Admins groups
> 2.- Remove gidNumber from Domain Admins group (10007)
> 3.- Add gidNumber 10007 to Unix Admins
> 4.- Add Unix Admins to Domain admins group
> 5.- Add me MAD\Luis to Unix Admins. I am also into Domain Admins group.
> 
> I understand on the unix side of the member server, wherever before I read
Domain Admins, I will now read Unix Admins - no other damage done.
> 
> On DC2,?I was now able to run sysvolreset, all GPOs now are (no errors
after sysvolreset and no output from sysvolcheck)
> 
> 8.0K drwxrwx---+??4 root?? ? ? ? ? ? ?BUILTIN\administrators 4.0K
Nov??7??2022 ..
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Apr 15
22:34 {0491EEAA-BF8A-43BE-98CA-72128C7EC0EA}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {06D5E045-DF21-45AA-962A-41CB3F665FCC}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {0723DCE9-C915-492A-9423-104BE034BCEF}
> 8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {0769489D-FC31-4244-AB87-4EE2C4E20CCC}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {0A529EA3-06B6-4FE1-BC51-AB793E6A4523}
> 8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {1111C19B-0CB9-4BA9-BFF1-3648F3862F93}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {31B2F340-016D-11D2-945F-00C04FB984F9}
> 8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {3548966F-440A-43D9-B05E-E681AD3B58F9}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {3B09CD87-EF3C-4959-A8E8-C82B95FB5148}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {69F60D78-F2EF-41F5-863A-4B7698D939BA}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {6AC1786C-016F-11D2-945F-00C04FB984F9}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {78ADF699-01E8-4F99-84B4-7EB4430E7105}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {790FBA77-CE1A-4B93-B66B-2A97880DE31D}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {90D103E0-3AA7-4A18-8E51-501F73658A1C}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??7??2022 {B0AC4C94-9949-4FC2-8F54-CAADFDAD95D4}
> 8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {B2250B1E-DDCC-4267-9816-D115CCF24735}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {B7D7E89E-002B-4FCB-80F8-534C2976483C}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Apr 15
22:10 {BE3B49C3-C557-4B1B-8B12-A1023D12D9D7}
> 8.0K drwxrwx---+??5 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {CA510ED6-934C-47FC-B81D-6942A39D3DE6}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {D2B5681B-E6B8-4B00-AF76-D81477BD19A6}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K
Nov??4??2022 {E285AB09-81A3-4AC8-9195-434B56F22D60}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Nov 28
11:20 {EB06228D-84E1-456F-8F88-06A36EA3EB4D}
> 8.0K drwxrwx---+??4 MAD\domain admins MAD\domain admins?? ? ?4.0K Feb??1
17:13 {EC8AFE87-C57A-4AE7-A9FC-8A82CB8745DA}
> 
> Just as it should probably be.
> 
> Sysvol permissions :
> 
> ./sysvol:
> total 20K
> 8.0K drwxrwx---+??3 root BUILTIN\administrators 4.0K May 25 21:05 .
> 4.0K drwxr-xr-x??10 root root? ? ? ? ? ? ? ? ? ?4.0K May 25 20:40 ..
> 8.0K drwxrwx---+??4 root BUILTIN\administrators 4.0K Nov??7??2022
mad.mater.int
> 
> ./sysvol/mad.mater.int:
> total 32K
> 8.0K drwxrwx---+??4 root BUILTIN\administrators 4.0K Nov??7??2022 .
> 8.0K drwxrwx---+??3 root BUILTIN\administrators 4.0K May 25 21:05 ..
> 8.0K drwxrwx---+ 27 root BUILTIN\administrators 4.0K May 25 20:56 Policies
> 8.0K drwxrwx---+??2 root BUILTIN\administrators 4.0K Nov??4??2022 scripts
> 
> Are these right ?
YES!
> 
> I still can not change share permissions on the sysvol from Windows via
computer manager. I get a permission denied.
if you run 'getent passwd Administrator' on the DC, what is the output ?

If there is no output (possible if the winbind links are not set up), 
what is the output of 'wbinfo -i Administrator' ?

Rowland