Forum: >>> Magnum BBS <<<

[Samba] Problem sysvolreset

From Rowland Penny via samba@21:1/5 to Edson Tadeu Almeida da Silveira on Tue Mar 7 21:30:03 2017

On Tue, 7 Mar 2017 17:17:47 -0300
Edson Tadeu Almeida da Silveira <edson.tadeu@gmail.com> wrote:

Rowland.

I´m having a problem because i can´t remove 2 policy: Default Domain Policy and Default Domain Controllers Policy.

Do you know a way to repair this both?

They are the default policies, you shouldn't remove these, just any
extra new ones.

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?iso-8859-1?Q?Bj=F6rn?= JACKE via@21:1/5 to All on Mon Mar 20 15:30:03 2017

On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:

It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.

anybody who uses idmap ad on a samba member server should give domain users and domain admins a gidnumber actually. This does not affect sysvol on a DC
in any way unless you enable idmap_ldb:use rfc2307, what I would not
recommend to do.

Björn

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Rowland Penny via samba@21:1/5 to samba@lists.samba.org on Mon Mar 20 15:50:01 2017

On Mon, 20 Mar 2017 15:27:33 +0100
Björn JACKE via samba <samba@lists.samba.org> wrote:

On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:

It is my recommendation to not give Domain Admins a gidNumber and
not to run sysvolreset if you add any GPOs.

anybody who uses idmap ad on a samba member server should give domain
users and domain admins a gidnumber actually. This does not affect
sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
what I would not recommend to do.

Björn

Hi Bjorn,
You can recommend not doing something until you are blue in the face,
but you will not stop people doing it. ;-)

If you give Domain Admins a gidNumber, it breaks the mapping in
idmap.ldb and stops Domain Admins being able to own files and dirs in
sysvol and Domain Admins needs to own files and dirs in sysvol.

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?windows-1252?Q?L.P.H._van_Belle?=@21:1/5 to All on Mon Mar 20 16:40:02 2017

Im questioning this because of the following.

What is "Domain Admins" doing with rights on SYSVOL anyway.. ??

There should not be any "domain admins" at all on sysvol share and security rights.

But to overcome the problem explained below.

You can use :
acl_xattr:ignore system acls = yes

And make sure sysvol and/or netlogon are windows only shares and not used by any unix/linux/mac clients.

Set : acl_xattr:ignore system acls = yes
In the share sysvol and/or netlogon

Now in addition, as told, if setup correcly,
you dont see any "Domain Admins" on sysvol.

Sysvol Share permissions set to
"Everyone" Read
"Authenticated Users" Full Control.
DOMAIN\Administrators ( same as "BUILDIN\Administrators" ) Full Controll

And for the folder setttings.
CREATOR OWNER Special rights.
Authenticated Users Read
SYSTEM Full control.
DOMAIN\Administrators R&E, LFC, READ, WRITE
DOMAIN\Server Operators R&E, LFC, READ

Now its no problem to give these a gid anymore.
Domain Users
Domain Admins
Domain Guest
Domain Computers
And as bjorn suggested, you do give the groups an id.

And when its all set, DONT run resetsysvol again when you do that, you must set the share and security rights again.

And all my servers run with : idmap_ldb:use rfc2307

Greetz,

Louis

-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@lists.samba.org] Namens Rowland Penny via samba
Verzonden: maandag 20 maart 2017 15:44
Aan: samba@lists.samba.org
Onderwerp: Re: [Samba] Problem sysvolreset

On Mon, 20 Mar 2017 15:27:33 +0100
Björn JACKE via samba <samba@lists.samba.org> wrote:

On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:

It is my recommendation to not give Domain Admins a gidNumber and
not to run sysvolreset if you add any GPOs.

anybody who uses idmap ad on a samba member server should give domain
users and domain admins a gidnumber actually. This does not affect
sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
what I would not recommend to do.

Björn

Hi Bjorn,
You can recommend not doing something until you are blue in the face,
but you will not stop people doing it. ;-)

If you give Domain Admins a gidNumber, it breaks the mapping in
idmap.ldb and stops Domain Admins being able to own files and dirs in
sysvol and Domain Admins needs to own files and dirs in sysvol.

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Rowland Penny via samba@21:1/5 to L.P.H. van Belle via samba on Mon Mar 20 17:30:02 2017

On Mon, 20 Mar 2017 16:36:34 +0100
"L.P.H. van Belle via samba" <samba@lists.samba.org> wrote:

Im questioning this because of the following.

What is "Domain Admins" doing with rights on SYSVOL anyway.. ??

There should not be any "domain admins" at all on sysvol share and
security rights.

If you create a GPO on a 2102R2 DC, you get this on the GUID dir:

"O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)"

O = owner
G = group
DA = Domain Admins

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?windows-1252?Q?L.P.H._van_Belle?=@21:1/5 to All on Mon Mar 20 19:10:02 2017

hi Rowland
I got these of my 2008R2 server.
i'll check your output against mine tomorrow.

greetz,

Louis

Op 20 mrt. 2017 om 17:26 heeft Rowland Penny <rpenny@samba.org> het volgende geschreven:

On Mon, 20 Mar 2017 16:36:34 +0100
"L.P.H. van Belle via samba" <samba@lists.samba.org> wrote:

Im questioning this because of the following.

What is "Domain Admins" doing with rights on SYSVOL anyway.. ??

There should not be any "domain admins" at all on sysvol share and
security rights.

If you create a GPO on a 2102R2 DC, you get this on the GUID dir:

"O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)"

O = owner
G = group
DA = Domain Admins

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Rowland Penny via samba@21:1/5 to L.P.H. van Belle on Tue Mar 21 16:50:02 2017

On Tue, 21 Mar 2017 16:24:31 +0100
L.P.H. van Belle <belle@bazuin.nl> wrote:

Hai Rowland,

Can post your exact command you used, so im sure i dont get different outputs.

OK, on a windows 21012R2 DC:

Get-Acl C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-4E270488EDE4}'
| Format-List

NOTE: The above is all one line.

Which leads to this output:

Path :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-4E270488EDE4} Owner : HOME\Domain Admins Group : HOME\Domain Admins
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
HOME\Domain Admins Allow FullControl
HOME\Enterprise Admins Allow FullControl
Audit :
Sddl : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Rowland Penny via samba@21:1/5 to L.P.H. van Belle via samba on Tue Mar 21 17:40:02 2017

On Tue, 21 Mar 2017 17:09:22 +0100
"L.P.H. van Belle via samba" <samba@lists.samba.org> wrote:

Hai,

Here you go my output of the R2008R2. (64bit)

1) original GPO from the install ( the domain controller policy )

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

Owner : BUILTIN\Administrators

Group : NT AUTHORITY\SYSTEM

This is the same as what I found, the default policies get the above
ownership.

2) and just now created GPO, didnt touch it at al.

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}

Owner : ROTTERDAM\Domain Admins

Group : ROTTERDAM\Domain Admins

Access : CREATOR OWNER Allow FullControl

         NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize

         NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow FullControl

         ROTTERDAM\Domain Admins Allow FullControl

         ROTTERDAM\Enterprise Admins Allow FullControl

Audit :

Sddl   : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)

Now do you believe me when I say Domain Admins shouldn't have a
gidNumber ?

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From =?windows-1252?Q?L.P.H._van_Belle?=@21:1/5 to All on Tue Mar 21 17:20:01 2017

Hai,

Here you go my output of the R2008R2. (64bit)

1) original GPO from the install ( the domain controller policy )

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

Owner : BUILTIN\Administrators

Group : NT AUTHORITY\SYSTEM

Access : CREATOR OWNER Allow 268435456

         NT AUTHORITY\Authenticated Users Allow -1610612736

         NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow 268435456

         NT AUTHORITY\SYSTEM Allow FullControl

         BUILTIN\Administrators Allow 268435456

         BUILTIN\Administrators Allow Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize

         BUILTIN\Server Operators Allow ReadAndExecute, Synchronize

Audit :

Sddl   : O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;G

         A;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)

The one with numbers like CREATOR OWNER Allow 268435456

Are users/groups with special rights.

2) and just now created GPO, didnt touch it at al.

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}

Owner : ROTTERDAM\Domain Admins

Group : ROTTERDAM\Domain Admins

Access : CREATOR OWNER Allow FullControl

         NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize

         NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow FullControl

         ROTTERDAM\Domain Admins Allow FullControl

         ROTTERDAM\Enterprise Admins Allow FullControl

Audit :

Sddl   : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;

         OICI;FA;;;EA)

Greetz,

Louis

-----Oorspronkelijk bericht-----

Van: Rowland Penny [mailto:rpenny@samba.org]

Verzonden: dinsdag 21 maart 2017 16:38

Aan: L.P.H. van Belle

CC: samba@lists.samba.org

Onderwerp: Re: [Samba] Problem sysvolreset

On Tue, 21 Mar 2017 16:24:31 +0100

L.P.H. van Belle <belle@bazuin.nl> wrote:

Hai Rowland,

Can post your exact command you used, so im sure i dont get different

outputs.

OK, on a windows 21012R2 DC:

Get-Acl

C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-

4E270488EDE4}'

| Format-List

NOTE: The above is all one line.

Which leads to this output:

Path   :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-

4E270488EDE4}

Owner : HOME\Domain Admins Group : HOME\Domain Admins

Access : CREATOR OWNER Allow FullControl

NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute,

Synchronize

NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize

NT AUTHORITY\SYSTEM Allow FullControl

HOME\Domain Admins Allow FullControl

HOME\Enterprise Admins Allow FullControl

Audit :

Sddl   :

O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU

)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-

4157658249-429813502-519)

Rowland

--
To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Jasonrx8
  Wed Apr 17 13:08:27 2024
  from Sydney Nsw via SSH
- Bob Worm
  Thu Apr 18 21:44:01 2024
  from Wales, Uk via Telnet
- Bob Worm
  Thu Apr 18 13:24:26 2024
  from Wales, Uk via Telnet
- Chippey
  Fri Apr 19 02:45:49 2024
  from Winnipeg, Canada via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	293
Nodes:	16 (2 / 14)
Uptime:	210:52:37
Calls:	6,619
Calls today:	1
Files:	12,168
Messages:	5,317,250

[Samba] Problem sysvolreset

Who's Online

Recent Visitors

System Info