Tâche #17366
Mis à jour par Emmanuel IHRY il y a plus de 7 ans
sur le premier contrôleur du domaine installé les droits sur le répertoire sysvol sont positionnés. Ensuite il y aura une synchro bi-directionnel entre les contrôleurs qui seront ensuite installés pour cette même forêt. Il parait préférable que cette synchro s'effectue sur le nom de groupe (/utilisateur) plutôt que sur le gid (/uid)
sur un contrôleur qui n'est pas encore synchronisé nous avons apparemment 7 groupes susceptibles d'être utilisés
3000000, 3000001, 3000002, 3000003, 3000004, 3000008, 3000010
<pre>
~# getfacl -R /var/lib/samba/sysvol/ |grep "group:30000"|sort|uniq -c
getfacl : suppression du premier « / » des noms de chemins absolus
4 default:group:3000000:rwx
4 default:group:3000001:r-x
20 default:group:3000002:rwx
20 default:group:3000003:r-x
1 default:group:3000004:rwx
16 default:group:3000008:rwx
16 default:group:3000010:r-x
15 group:3000000:rwx
4 group:3000001:r-x
23 group:3000002:rwx
23 group:3000003:r-x
1 group:3000004:rwx
19 group:3000008:rwx
19 group:3000010:r-x
</pre>
et 6 utilisateurs
<pre>
~# getfacl -R /var/lib/samba/sysvol/ |grep "user:30000"|sort|uniq -c
getfacl : suppression du premier « / » des noms de chemins absolus
14 default:user:3000000:rwx
3 default:user:3000001:r-x
19 default:user:3000002:rwx
19 default:user:3000003:r-x
16 default:user:3000008:rwx
15 default:user:3000010:r-x
4 user:3000000:rwx
3 user:3000001:r-x
22 user:3000002:rwx
22 user:3000003:r-x
11 user:3000008:rwx
18 user:3000010:r-x
</pre>
Pour éventuellement constater ce qu'il se passe sur le premier contrôleur installé pour un domaine, si on souhaite temporairement afficher les groupes via la commande 'getent' (ajout temporaire des directives 'winbind enum users = yes'/'winbind enum groups = yes'/'winbind expand groups = 1')
ex pour le domaine AD 'AD-PAST'
<pre>
root@dc-ad1:~# getent group
(...)
BUILTIN/administrators:x:3000000:
BUILTIN/users:x:3000009:
BUILTIN/guests:x:3000015:
BUILTIN/account operators:x:3000015:
BUILTIN/server operators:x:3000001:
BUILTIN/print operators:x:3000016:
BUILTIN/backup operators:x:3000017:
BUILTIN/replicator:x:3000018:
BUILTIN/pre-windows 2000 compatible access:x:3000019:
BUILTIN/remote desktop users:x:3000020:
BUILTIN/network configuration operators:x:3000021:
BUILTIN/incoming forest trust builders:x:3000022:
BUILTIN/performance monitor users:x:3000023:
BUILTIN/performance log users:x:3000024:
BUILTIN/windows authorization access group:x:3000025:
BUILTIN/terminal server license servers:x:3000026:
BUILTIN/distributed com users:x:3000027:
BUILTIN/iis_iusrs:x:3000028:
BUILTIN/cryptographic operators:x:3000029:
BUILTIN/event log readers:x:3000030:
BUILTIN/certificate service dcom access:x:3000031:
AD-PAST/cert publishers:x:3000032:
AD-PAST/ras and ias servers:x:3000033:
AD-PAST/allowed rodc password replication group:x:3000034:
AD-PAST/denied rodc password replication group:x:3000005:
AD-PAST/dnsadmins:x:3000035:
AD-PAST/enterprise read-only domain controllers:x:3000036:
AD-PAST/domain admins:x:3000008:AD-PAST/administrator,AD-PAST/admin
AD-PAST/domain users:x:100:
AD-PAST/domain guests:x:3000012:
AD-PAST/domain computers:x:3000037:
AD-PAST/domain controllers:x:3000038:
AD-PAST/schema admins:x:3000007:AD-PAST/administrator
AD-PAST/enterprise admins:x:3000006:AD-PAST/administrator
AD-PAST/group policy creator owners:x:3000004:AD-PAST/administrator
AD-PAST/read-only domain controllers:x:3000039:
AD-PAST/dnsupdateproxy:x:3000040:
</pre>
getent passwd
<pre>
root@dc-ad1:~# getent passwd
root:x:0:0:root:/root:/bin/bash
(...)
AD-PAST/administrator:*:0:100::/home/AD-PAST/administrator:/bin/false
AD-PAST/krbtgt:*:3000014:100::/home/AD-PAST/krbtgt:/bin/false
AD-PAST/guest:*:3000011:100::/home/AD-PAST/guest:/bin/false
AD-PAST/admin:*:3000013:100::/home/AD-PAST/admin:/bin/false
</pre>
remarques:
les groupes 3000002, 3000003 et3000010 ne sont pas listés
<pre>
root@dc-ad1:~# getent group|grep 3000000
BUILTIN/administrators:x:3000000:
root@dc-ad1:~# getent group|grep 3000001
BUILTIN/server operators:x:3000001:
root@dc-ad1:~# getent group|grep 3000002
root@dc-ad1:~# getent group|grep 3000003
root@dc-ad1:~# getent group|grep 3000004
AD-PAST/group policy creator owners:x:3000004:AD-PAST/administrator
root@dc-ad1:~# getent group|grep 3000008
AD-PAST/domain admins:x:3000008:AD-PAST/administrator,AD-PAST/admin
root@dc-ad1:~# getent group|grep 3000010
root@dc-ad1:~#
</pre>
le groupe 'AD-PAST/domain users' a le gid du groupe unix local 'users' (100)
le SID est correct
<pre>
root@dc-ad1:~# wbinfo -n "AD-PAST/domain users"
S-1-5-21-2437789809-4166622212-1883905451-513 SID_DOM_GROUP (2)
</pre>
pour les 3 groupes qui ne sont pas listés
<pre>
root@dc-ad1:~# wbinfo -G 3000002
S-1-5-18
root@dc-ad1:~# wbinfo -G 3000003
S-1-5-11
root@dc-ad1:~# wbinfo -G 3000010
S-1-5-9
</pre>
https://support.microsoft.com/en-us/kb/243330
SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
Questions:
Est-il nécessaire de générer les groupes pouvant correspondre aux groupes 'Enterprise Domain Controllers' , 'Authenticated Users' et 'Local System' ?
Comment positionner des acls au niveau 'user' ? (est-ce nécessaire ?)
sur un contrôleur qui n'est pas encore synchronisé nous avons apparemment 7 groupes susceptibles d'être utilisés
3000000, 3000001, 3000002, 3000003, 3000004, 3000008, 3000010
<pre>
~# getfacl -R /var/lib/samba/sysvol/ |grep "group:30000"|sort|uniq -c
getfacl : suppression du premier « / » des noms de chemins absolus
4 default:group:3000000:rwx
4 default:group:3000001:r-x
20 default:group:3000002:rwx
20 default:group:3000003:r-x
1 default:group:3000004:rwx
16 default:group:3000008:rwx
16 default:group:3000010:r-x
15 group:3000000:rwx
4 group:3000001:r-x
23 group:3000002:rwx
23 group:3000003:r-x
1 group:3000004:rwx
19 group:3000008:rwx
19 group:3000010:r-x
</pre>
et 6 utilisateurs
<pre>
~# getfacl -R /var/lib/samba/sysvol/ |grep "user:30000"|sort|uniq -c
getfacl : suppression du premier « / » des noms de chemins absolus
14 default:user:3000000:rwx
3 default:user:3000001:r-x
19 default:user:3000002:rwx
19 default:user:3000003:r-x
16 default:user:3000008:rwx
15 default:user:3000010:r-x
4 user:3000000:rwx
3 user:3000001:r-x
22 user:3000002:rwx
22 user:3000003:r-x
11 user:3000008:rwx
18 user:3000010:r-x
</pre>
Pour éventuellement constater ce qu'il se passe sur le premier contrôleur installé pour un domaine, si on souhaite temporairement afficher les groupes via la commande 'getent' (ajout temporaire des directives 'winbind enum users = yes'/'winbind enum groups = yes'/'winbind expand groups = 1')
ex pour le domaine AD 'AD-PAST'
<pre>
root@dc-ad1:~# getent group
(...)
BUILTIN/administrators:x:3000000:
BUILTIN/users:x:3000009:
BUILTIN/guests:x:3000015:
BUILTIN/account operators:x:3000015:
BUILTIN/server operators:x:3000001:
BUILTIN/print operators:x:3000016:
BUILTIN/backup operators:x:3000017:
BUILTIN/replicator:x:3000018:
BUILTIN/pre-windows 2000 compatible access:x:3000019:
BUILTIN/remote desktop users:x:3000020:
BUILTIN/network configuration operators:x:3000021:
BUILTIN/incoming forest trust builders:x:3000022:
BUILTIN/performance monitor users:x:3000023:
BUILTIN/performance log users:x:3000024:
BUILTIN/windows authorization access group:x:3000025:
BUILTIN/terminal server license servers:x:3000026:
BUILTIN/distributed com users:x:3000027:
BUILTIN/iis_iusrs:x:3000028:
BUILTIN/cryptographic operators:x:3000029:
BUILTIN/event log readers:x:3000030:
BUILTIN/certificate service dcom access:x:3000031:
AD-PAST/cert publishers:x:3000032:
AD-PAST/ras and ias servers:x:3000033:
AD-PAST/allowed rodc password replication group:x:3000034:
AD-PAST/denied rodc password replication group:x:3000005:
AD-PAST/dnsadmins:x:3000035:
AD-PAST/enterprise read-only domain controllers:x:3000036:
AD-PAST/domain admins:x:3000008:AD-PAST/administrator,AD-PAST/admin
AD-PAST/domain users:x:100:
AD-PAST/domain guests:x:3000012:
AD-PAST/domain computers:x:3000037:
AD-PAST/domain controllers:x:3000038:
AD-PAST/schema admins:x:3000007:AD-PAST/administrator
AD-PAST/enterprise admins:x:3000006:AD-PAST/administrator
AD-PAST/group policy creator owners:x:3000004:AD-PAST/administrator
AD-PAST/read-only domain controllers:x:3000039:
AD-PAST/dnsupdateproxy:x:3000040:
</pre>
getent passwd
<pre>
root@dc-ad1:~# getent passwd
root:x:0:0:root:/root:/bin/bash
(...)
AD-PAST/administrator:*:0:100::/home/AD-PAST/administrator:/bin/false
AD-PAST/krbtgt:*:3000014:100::/home/AD-PAST/krbtgt:/bin/false
AD-PAST/guest:*:3000011:100::/home/AD-PAST/guest:/bin/false
AD-PAST/admin:*:3000013:100::/home/AD-PAST/admin:/bin/false
</pre>
remarques:
les groupes 3000002, 3000003 et3000010 ne sont pas listés
<pre>
root@dc-ad1:~# getent group|grep 3000000
BUILTIN/administrators:x:3000000:
root@dc-ad1:~# getent group|grep 3000001
BUILTIN/server operators:x:3000001:
root@dc-ad1:~# getent group|grep 3000002
root@dc-ad1:~# getent group|grep 3000003
root@dc-ad1:~# getent group|grep 3000004
AD-PAST/group policy creator owners:x:3000004:AD-PAST/administrator
root@dc-ad1:~# getent group|grep 3000008
AD-PAST/domain admins:x:3000008:AD-PAST/administrator,AD-PAST/admin
root@dc-ad1:~# getent group|grep 3000010
root@dc-ad1:~#
</pre>
le groupe 'AD-PAST/domain users' a le gid du groupe unix local 'users' (100)
le SID est correct
<pre>
root@dc-ad1:~# wbinfo -n "AD-PAST/domain users"
S-1-5-21-2437789809-4166622212-1883905451-513 SID_DOM_GROUP (2)
</pre>
pour les 3 groupes qui ne sont pas listés
<pre>
root@dc-ad1:~# wbinfo -G 3000002
S-1-5-18
root@dc-ad1:~# wbinfo -G 3000003
S-1-5-11
root@dc-ad1:~# wbinfo -G 3000010
S-1-5-9
</pre>
https://support.microsoft.com/en-us/kb/243330
SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
Questions:
Est-il nécessaire de générer les groupes pouvant correspondre aux groupes 'Enterprise Domain Controllers' , 'Authenticated Users' et 'Local System' ?
Comment positionner des acls au niveau 'user' ? (est-ce nécessaire ?)