Mapping groups to a uid conflicts with rfc2307 (was Re: Samba4 RC1 error: sysvolreset)

Andrew Bartlett abartlet at
Fri Sep 14 05:46:49 MDT 2012

On Thu, 2012-09-13 at 13:01 +0200, steve wrote:
> Hi
> I followed the release annoncements for Version 4.1.0pre1-GIT-9158423
> samba-tool dbcheck --cross-ncs --fix
> Checking 3442 objects
> Checked 3442 objects (0 errors)
> and:
> samba-tool ntacl sysvolreset
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
> ERROR(runtime): uncaught exception - (-1073741734, 
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/", 
> line 168, in _run
>      return*args, **kwargs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/", 
> line 214, in run
>      lp, use_ntvfs=use_ntvfs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/", 
> line 1462, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/", 
> line 1401, in set_gpos_acl
>      str(domainsid), use_ntvfs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/", 
> line 1368, in set_dir_acl
>      setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/", 
> line 108, in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
> Can anyone tell me whether this is safe to procede?

It's no less safe than it was before you ran the command.  However,
without running that we can't offer editing of GPOs as non-administrator
(another member of the domain admins group). 

The issue for upgrading sites such as yours is that you have set a gid
for 'Domain Admins' in LDAP using rfc2307.  One of the key issues with
the rfc2307 schema that you requested is that there is no standard way
to indicate which uid to use when a group such as 'domain admins' needs
to own a file in unix terms.  (Our idmap.ldb default is to store
mappings marked with IDMAP_BOTH). 

So far my thinking is to add an additional objectClass to the LDAP
schema and an additional attribute to indicate that this gidNumber is in
fact also valid and unique as a uidNumber, or to additionally permit a
uidNumber on the record in addition to such a marker. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list