[Samba] BUILTIN not mapping on DC

Mon Apr 28 15:23:50 MDT 2014

Am 28.04.2014 22:17, schrieb Rowland Penny:
> On 28/04/14 19:46, Achim Gottinger wrote:
>>
>> Am 28.04.2014 20:29, schrieb steve:
>>> On Mon, 2014-04-28 at 14:18 -0400, Ryan Bair wrote:
>>>> I'm hoping to find another way to resolve the issue, but how did 
>>>> you edit
>>>> the uid and gids in idmap.ldb? According to `ldbsearch -H 
>>>> ldaps://localhost
>>>> cn=Account\ Operators` I already have a GID assigned.
>>> Hi
>>> DNs in idmap.ldb use the SID as the CN
>>>
>>> You already have the SID for the group you want from your search. Then:
>>> ldbedit --url=/path/to/privat/idmap.ldb cn=your.SID
>>> and replace the xidNumber attribute with the GID you have in the
>>> directory. Or whatever other value you want.
>>> HTH
>>> Steve
>>>
>>>
>> Steve kindly already explained how to edit idmal.
>>
>> If you only care about GPO acl's, you may replace the acl's 
>> BUILTIN\Administrator with Domain-Admins and BUILTIN\Autheticated 
>> Users with Domain-Users in the windows group policy editor and run 
>> samba-tools ntacl sysvolreset afterwards. Or give everyone read access.
>> On my side the problems arised becuase i use rsync to replicate 
>> sysvol between ADDX's and since the BUILTIN users/groups are ignored 
>> on the unix side (not showing up in getent passwd/group)
>> the uid's gid's are used when replicating. Since those are dynamical 
>> assigned different on each ADDCi get read erros on my windows clients 
>> trying to get the gpo's from ADDC other that the source addc i used 
>> for replication.
>> Easiest for me was to copy idmap.ldb from my source ADDC to the 
>> target addc's directly after joining to the domain.
>> An proper solution would be using the RID idmap backend for BUILTIN 
>> but i did not get that working.
>
> I do not think that your problem is with id-mapping, if I run the 
> commands that the OP ran, I get the exact same answers.
>
> If I run 'getfacl /var/lib/samba/sysvol/example.com' on one of my DC's 
> I get this:
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/example.com
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> if I run the same command on my second DC, I get this:
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/example.com
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000012:r-x
> user:3000022:r-x
> user:3000023:rwx
> group::rwx
> group:3000000:rwx
> group:3000012:r-x
> group:3000022:r-x
> group:3000023:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000012:r-x
> default:user:3000022:r-x
> default:user:3000023:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000012:r-x
> default:group:3000022:r-x
> default:group:3000023:rwx
> default:mask::rwx
> default:other::---
>
> Now on the face of it, they are different, but if I open idmap.ldb 
> with ldbedit on the first DC and search for the numbers, we find this:
>
> 3000000 ---> CN=S-1-5-32-544
> 3000001 ---> CN=S-1-5-32-549
> 3000002 ---> CN=S-1-5-18
> 3000003 ---> CN=S-1-5-11
>
> now open idmap.ldb on the second DC and carry out the search with the 
> second set of numbers:
>
> 3000000 ---> CN=S-1-5-32-544
> 3000012 ---> CN=S-1-5-11
> 3000022 ---> CN=S-1-5-32-549
> 3000023 ---> CN=S-1-5-18
>
> and a bit more searching finds out that:
>
> CN=S-1-5-32-544 ---> Administrators
> CN=S-1-5-32-549 ---> Server Operators
> CN=S-1-5-18 ---> Local System
> CN=S-1-5-11 ---> Authenticated Users
>
> So your builtin groups should be getting mapped via their xidNumbers.
>
> As for the builtin users not showing up in getent passwd, only users 
> that have a uidNumber & gidNumber will be shown.
>
> Rowland
If i rsync the sysvol folder manual with -XAavz i get identical gid's on 
the target machine. These flags are the ones recommended here 
https://wiki.samba.org/index.php/SysVol_Replication.
Does your script involve additional logic mapping the gid's?

How can rsync map gid(source) -> sid -> gid(target) if the gid's no not 
resolve on a filesystem level?

On a sidenote , getent passwd lists users here which got ther uid's 
assigned via winbind without having an uidNumber in the corresponding 
ldap entry.