I'm trying to figure out the user.group of my domain administrator account. getent gives me: # getent passwd Administrator HPRS\administrator:*:0:100::/home/HPRS/administrator:/bin/false If I chown a file: chown HPRS\\administrator.100 thisfile I get: # ls -l thisfile -rwxrwx---+ 1 root users 68973 2022-08-08 09:12 thisfile If I do the same for normal domain users: # chown HPRS\\mark.100 anotherfile # ls - aontherfile rwxr-xr-x+ 1 HPRS\mark users 164 2019-01-20 01:43 anotherfile The latter shows the actual "HPRS\mark" as the user, but doing so for Administrator shows root as the user. Are HPRS\administrator and root synonyms? On the other hand, the prvisioning step created /var/lib/samba/sysvol as: # ls -ld /var/lib/samba/sysvol drwxrwx---+ 3 root BUILTIN\administrators 4096 2024-01-18 21:51 /var/lib/samba/sysvol/ Why does getent for administrator give group 100 (users) but sysvol's group is BUILTIN\administrators (gid 3000000)? Should I change the group for "thisfile" to 3000000? Is this all OK? --Mark
On Fri, 19 Jan 2024 14:27:28 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> I'm trying to figure out the user.group of my domain administrator > account. getent gives me: > > # getent passwd Administrator > HPRS\administrator:*:0:100::/home/HPRS/administrator:/bin/falseTotally as expected.> > If I chown a file: > > chown HPRS\\administrator.100 thisfile > > I get: > > # ls -l thisfile > -rwxrwx---+ 1 root users 68973 2022-08-08 09:12 thisfileAgain as expected. 'root' has the numeric ID '0' and 'users' is '100', they are mapped in idmap.ldb> > If I do the same for normal domain users: > > # chown HPRS\\mark.100 anotherfile > # ls - aontherfile > rwxr-xr-x+ 1 HPRS\mark users 164 2019-01-20 01:43 anotherfile > > The latter shows the actual "HPRS\mark" as the user, but doing so for > Administrator shows root as the user.Again, this is to be expected.> > Are HPRS\administrator and root synonyms?No, but Administrator is mapped to root in idmap.ldb on a Samba AD DC.> > On the other hand, the prvisioning step created /var/lib/samba/sysvol > as: > > # ls -ld /var/lib/samba/sysvol > drwxrwx---+ 3 root BUILTIN\administrators 4096 2024-01-18 21:51 > /var/lib/samba/sysvol/ > > Why does getent for administrator give group 100 (users) but sysvol's > group is BUILTIN\administrators (gid 3000000)?Because it has to be that way, Windows expects it.> > Should I change the group for "thisfile" to 3000000?Absolutely not.> > Is this all OK?Yes Rowland
After provisioning and testing my new DC offline, I now want to move it into production. This means changing IPs. DC FQDN: mail.hprs.local IPs for setup/testing: DC: 192.168.1.60 Gateway: 192.168.1.1 (Netgear router) DNS: 192.168.1.60 (/etc/resolv.conf) /etc/hosts: 192.168.1.60 mail.hprs.local mail smb.conf, dns forwarder: 192.168.1.1 Production IPs: DC: 192.168.0.2 Gateway: 192.168.0.1 (SonicWall firewall/router) DNS: 192.168.0.2 (/etc/resolv.conf) /etc/hosts: 192.168.0.2 mail.hprs.local mail smb.conf, dns forwarder: 192.168.0.1 I've restarted the network and samba to use these new IPs. The A record looks good: # host -t A mail.hprs.local mail.hprs.local has address 192.168.0.2 I also created a new reverse dns record: # samba-tool dns zonecreate mail.hprs.local 0.168.192.in-addr.arpa # samba-tool dns zonelist mail pszZoneName : 0.168.192.in-addr.arpa Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.hprs.local Two problems ... I'm not resolving any public or local hostnames, so it appears that samba is not acting as the dns server. I can access public and local hosts by IP. Why? Second, more minor problem, I cannot figure out how to delete the old reverse dns record 1.168.192.in-addr.arpa. I've tried numerous combinations of the command to do so with no luck including; # samba-tool dns delete mail hprs.local mail PTR 1.168.192.in-addr.arpa Password for [administrator at HPRS.LOCAL]: ERROR(runtime): The record does not exist [WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST] - (9701, 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST') What am I doing wrong? Thanks --Mark