Mapping groups to a uid conflicts with rfc2307 (was Re: Samba4 RC1 error: sysvolreset)

simo idra at samba.org
Fri Sep 14 06:08:53 MDT 2012 

On Fri, 2012-09-14 at 04:46 -0700, Andrew Bartlett wrote: 
> On Thu, 2012-09-13 at 13:01 +0200, steve wrote:
> > Hi
> > I followed the release annoncements for Version 4.1.0pre1-GIT-9158423
> > 
> > samba-tool dbcheck --cross-ncs --fix
> > Checking 3442 objects
> > Checked 3442 objects (0 errors)
> > 
> > and:
> > 
> > samba-tool ntacl sysvolreset
> > set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
> > ERROR(runtime): uncaught exception - (-1073741734, 
> > 'NT_STATUS_INVALID_OWNER')
> >    File 
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> > line 168, in _run
> >      return self.run(*args, **kwargs)
> >    File 
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
> > line 214, in run
> >      lp, use_ntvfs=use_ntvfs)
> >    File 
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> > line 1462, in setsysvolacl
> >      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> > use_ntvfs)
> >    File 
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> > line 1401, in set_gpos_acl
> >      str(domainsid), use_ntvfs)
> >    File 
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> > line 1368, in set_dir_acl
> >      setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
> >    File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", 
> > line 108, in setntacl
> >      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> > security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
> > 
> > Can anyone tell me whether this is safe to procede?
> 
> It's no less safe than it was before you ran the command.  However,
> without running that we can't offer editing of GPOs as non-administrator
> (another member of the domain admins group). 
> 
> The issue for upgrading sites such as yours is that you have set a gid
> for 'Domain Admins' in LDAP using rfc2307.  One of the key issues with
> the rfc2307 schema that you requested is that there is no standard way
> to indicate which uid to use when a group such as 'domain admins' needs
> to own a file in unix terms.  (Our idmap.ldb default is to store
> mappings marked with IDMAP_BOTH). 
> 
> So far my thinking is to add an additional objectClass to the LDAP
> schema and an additional attribute to indicate that this gidNumber is in
> fact also valid and unique as a uidNumber, or to additionally permit a
> uidNumber on the record in addition to such a marker. 

Avoid additional objectclasses, what we can do is to add the
posixAccount objectclass to groups and have uidNumber == gidNumber there

alternatively we can create a separate object that is just a
posixAccount (not an actual windows user) that has the same name as the
group and the uidNumber.

In FreeIPA we have a plugin that creates separate Private Unix Groups
for users, this would be a Private Unix User fro groups but the concept
would be similar (I think we may also want to have Private Unix Groups
though so that normal users can be treated as groups and (optionally)
have the PUG as the primary gid)

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>

More information about the samba-technical mailing list