wellknown and uid/gid interactions on multi DC samba AD domain
Daniele Dario
d.dario76 at gmail.com
Wed May 14 07:53:06 MDT 2014
On mer, 2014-05-14 at 14:30 +0100, Rowland Penny wrote:
> On 14/05/14 14:19, Daniele Dario wrote:
> >
> > On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
> >> On 14/05/14 14:06, Daniele Dario wrote:
> >>> On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
> >>>> On 14/05/14 13:57, Daniele Dario wrote:
> >>>>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
> >>>>>> On 14/05/14 13:26, Daniele Dario wrote:
> >>>>>>> Hi again,
> >>>>>>>
> >>>>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> >>>>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
> >>>>>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
> >>>>>>>>>
> >>>>>>>> Well done.
> >>>>>>>>
> >>>>>>>>> I have a question about the sysvol: I noticed that the group of the
> >>>>>>>>> sysvol folder is different on the two DCs.
> >>>>>>>>> On the 1st DC (4.1.0):
> >>>>>>>>> [root at kdc01:locks]# ls -n sysvol/
> >>>>>>>>> total 8
> >>>>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24 2012 saitel.loc
> >>>>>>>>>
> >>>>>>>>> On the 2nd DC (4.1.7):
> >>>>>>>>> [root at kdc03:locks]# ls -n sysvol/
> >>>>>>>>> total 8
> >>>>>>>>> drwxrwx---+ 4 0 3000000 4096 May 8 16:18 saitel.loc
> >>>>>>>>>
> >>>>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
> >>>>>>>>> S-1-5-32-544
> >>>>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> >>>>>>>>> BUILTIN\Administrators 4
> >>>>>>>>>
> >>>>>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> >>>>>>>>> same as on the other one.
> >>>>>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
> >>>>>>> On kdc01 I get
> >>>>>>> # record 53
> >>>>>>> dn: CN=S-1-5-32-544
> >>>>>>> cn: S-1-5-32-544
> >>>>>>> objectClass: sidMap
> >>>>>>> objectSid: S-1-5-32-544
> >>>>>>> type: ID_TYPE_GID
> >>>>>>> xidNumber: 4
> >>>>>>> distinguishedName: CN=S-1-5-32-544
> >>>>>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
> >>>>>> system, it should contain this:
> >>>>>>
> >>>>>> dn: CN=CONFIG
> >>>>>> cn: CONFIG
> >>>>>> lowerBound: 3000000
> >>>>>> upperBound: 4000000
> >>>>>>
> >>>>>> dn: @INDEXLIST
> >>>>>> @IDXATTR: xidNumber
> >>>>>> @IDXATTR: objectSid
> >>>>>>
> >>>>>> and '4' is a lot lower than '3000000' ;-)
> >>>>>>
> >>>>>> Rowland
> >>>>>>
> >>>>> No I didn't. Would it be possible that when I provisioned the domain
> >>>>> (can't remember the right number but it was one of the latest alpha
> >>>>> releases) it was different?
> >>>> Possibly, I think that we need to find out just what version you are
> >>>> running, 'samba -V' should give us this.
> >>> Sorry but samba -V tells 4.1.0 on kdc01 because I upgraded it almost on
> >>> every release until 4.1.0 has been released.
> >>>
> >>>>> And what about the difference in type? On the older I have type:
> >>>>> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.
> >>>> I seem to remember there being a problem like this, but cannot remember
> >>>> just when.
> >>>>
> >>>> Rowland
> >>>>
> >>>>> Daniele.
> >>>>>
> >> Could you please post the smb.conf from both DC's
> >>
> >> Rowland
> >>
> > Here they are:
> >
> > kdc01:
> >
> > # Global parameters
> > [global]
> > workgroup = SAITEL
> > realm = saitel.loc
> > netbios name = KDC01
> > server role = active directory domain controller
> > dns forwarder = 8.8.8.8
> > idmap_ldb:use rfc2307 = yes
> > template shell = /bin/bash
> > log file = /var/log/log.samba
> > log level = 2
> > max log size = 10000
> >
> > printcap name = /dev/null
> > load printers = no
> > printing = bsd
> >
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > read only = No
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> >
> > kdc03:
> >
> > # Global parameters
> > [global]
> > workgroup = SAITEL
> > realm = saitel.loc
> > netbios name = KDC03
> > server role = active directory domain controller
> > dns forwarder = 8.8.8.8
> > idmap_ldb:use rfc2307 = yes
> > template shell = /bin/bash
> > log file = /var/log/log.samba
> > log level = 2
> >
> > printing = cups
> > printcap name = /var/run/cups/printcap
> > load printers = yes
> >
> > rpc_server:spoolss = external
> > rpc_daemon:spoolssd = fork
> >
> > [netlogon]
> > path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > read only = no
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = no
> >
> > [printers]
> > path = /var/spool/samba
> > printable = yes
> > printing = CUPS
> >
> > [print$]
> > path = /srv/samba/Printer_drivers
> > comment = Printer Drivers
> > writeable = yes
> >
> > [homes]
> > read only = no
> >
> > ... all the network shares
> >
> > On kdc03 I'm also trying to get the print server but this will be
> > another story I guess :)
> >
> > Daniele.
> >
> I cannot see any problem there, I have also done a dive into the samba
> archives and as far as I can see the idmap.ldb range has always started
> at 3000000, so where that '4' comes from I have no idea.
>
> I think that somehow you need to get your first DC setup (idmap.ldb
> wise) like your second DC, run sysvolreset on your first DC, rsync
> sysvol to second DC and then sysvolreset your second DC.
>
> Rowland
>
I tried to copy idmap.ldb from the second DC than after starting samba I
performed a sysvolreset and now permissions seems to match.
I'll try to rsync sysvol now and see if sysvolcheck says that everything
is ok.
The problem is that running a sysvolcheck tells me:
[root at kdc01:~]# samba-tool ntacl sysvolcheck
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO
directory /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 249, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1695, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
The same happens on kdc03 even if I just performed a sysvolreset.
The difference is on top: LAG vs DAG but I don't know what it means.
Daniele.
More information about the samba-technical
mailing list