wellknown and uid/gid interactions on multi DC samba AD domain

steve steve at steve-ss.com
Wed May 14 08:05:45 MDT 2014


On Wed, 2014-05-14 at 15:32 +0200, Daniele Dario wrote:
> 
> On mer, 2014-05-14 at 15:20 +0200, steve wrote:
> > On Wed, 2014-05-14 at 15:03 +0200, Daniele Dario wrote:
> > > 
> > > On mer, 2014-05-14 at 14:37 +0200, steve wrote:
> > > > On Wed, 2014-05-14 at 14:26 +0200, Daniele Dario wrote:
> > > > > Hi again,
> > > > > 
> > > > > On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> > > > > > On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
> > > > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > Now as you said the uids/gids are the same on the 2 DCs so again thanks.
> > > > > > > 
> > > > > > Well done.
> > > > > > 
> > > > > > > I have a question about the sysvol: I noticed that the group of the
> > > > > > > sysvol folder is different on the two DCs.
> > > > > > > On the 1st DC (4.1.0):
> > > > > > > [root at kdc01:locks]# ls -n sysvol/
> > > > > > > total 8
> > > > > > > drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
> > > > > > > 
> > > > > > > On the 2nd DC (4.1.7):
> > > > > > > [root at kdc03:locks]# ls -n sysvol/
> > > > > > > total 8
> > > > > > > drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc
> > > > > > > 
> > > > > > > [root at kdc03:locks]# wbinfo -G 3000000
> > > > > > > S-1-5-32-544
> > > > > > > [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> > > > > > > BUILTIN\Administrators 4
> > > > > > > 
> > > > > > > If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> > > > > > > same as on the other one.
> > > > > > What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
> > > > > 
> > > > > On kdc01 I get
> > > > > # record 53
> > > > > dn: CN=S-1-5-32-544
> > > > > cn: S-1-5-32-544
> > > > > objectClass: sidMap
> > > > > objectSid: S-1-5-32-544
> > > > > type: ID_TYPE_GID
> > > > > xidNumber: 4
> > > > > distinguishedName: CN=S-1-5-32-544
> > > > > 
> > > > > On kdc03 I have
> > > > > # record 44
> > > > > dn: CN=S-1-5-32-544
> > > > > cn: S-1-5-32-544
> > > > > objectClass: sidMap
> > > > > objectSid: S-1-5-32-544
> > > > > type: ID_TYPE_BOTH
> > > > > xidNumber: 3000000
> > > > > distinguishedName: CN=S-1-5-32-544
> > > > > 
> > > > > so they look different for the xidNumber and maybe worst for type!
> > > > > 
> > > > > > > 
> > > > > > > Did I forgot something?
> > > > > > > 
> > > > > > > Regards,
> > > > > > > Daniele.
> > > > > > > 
> > > > > > How does sysvol get from DC1 to DC2?
> > > > > > 
> > > > > > Try samba-tool ntacl sysvolreset on both
> > > > > > then compare the output of getfacl
> > > > > > 
> > > > > > Do gpos work if you lose DC2?
> > > > > > HTH
> > > > > > Steve
> > > > > > 
> > > > > > 
> > > > > 
> > > > > I made a sysvolreset on both DCs before replaying.
> > > > > 
> > > > > comparing the getfacl results there's something wrong because now
> > > > > something is overlapping:
> > > > > 
> > > > > [root at kdc03:locks]# getfacl -e sysvol
> > > > > # file: sysvol
> > > > > # owner: root
> > > > > # group: 3000000
> > > > > user::rwx
> > > > > user:root:rwx			#effective:rwx
> > > > > user:3000000:rwx		#effective:rwx
> > > > > user:3000012:r-x		#effective:r-x
> > > > > user:3000017:r-x		#effective:r-x
> > > > > user:3000018:rwx		#effective:rwx
> > > > > group::rwx			#effective:rwx
> > > > > group:3000000:rwx		#effective:rwx
> > > > > group:3000012:r-x		#effective:r-x
> > > > > group:3000017:r-x		#effective:r-x
> > > > > group:3000018:rwx		#effective:rwx
> > > > > mask::rwx
> > > > > other::---
> > > > > default:user::rwx
> > > > > default:user:root:rwx		#effective:rwx
> > > > > default:user:3000000:rwx	#effective:rwx
> > > > > default:user:3000012:r-x	#effective:r-x
> > > > > default:user:3000017:r-x	#effective:r-x
> > > > > default:user:3000018:rwx	#effective:rwx
> > > > > default:group::---		#effective:---
> > > > > default:group:3000000:rwx	#effective:rwx
> > > > > default:group:3000012:r-x	#effective:r-x
> > > > > default:group:3000017:r-x	#effective:r-x
> > > > > default:group:3000018:rwx	#effective:rwx
> > > > > default:mask::rwx
> > > > > default:other::---
> > > > > 
> > > > > which seems correct but on kdc01:
> > > > > 
> > > > > [root at kdc01:/usr/local/samba/var/locks]# getfacl -e sysvol
> > > > > # file: sysvol
> > > > > # owner: root
> > > > > # group: adm
> > > > > user::rwx
> > > > > user:root:rwx			#effective:rwx
> > > > > group::rwx			#effective:rwx
> > > > > group:adm:rwx			#effective:rwx
> > > > > group:3000006:r-x		#effective:r-x
> > > > > group:SAITEL\134Schema\040Admins:rwx#effective:rwx
> > > > > group:3000008:r-x		#effective:r-x
> > > > > mask::rwx
> > > > > other::---
> > > > > default:user::rwx
> > > > > default:user:root:rwx		#effective:rwx
> > > > > default:group::---		#effective:---
> > > > > default:group:adm:rwx		#effective:rwx
> > > > > default:group:3000006:r-x	#effective:r-x
> > > > > default:group:SAITEL\134Schema\040Admins:rw#effective:rwx
> > > > > default:group:3000008:r-x	#effective:r-x
> > > > > default:mask::rwx
> > > > > default:other::---
> > > > > 
> > > > > Looking at which groups are involved, I see that on kdc03 I have
> > > > > 3000000 => BUILTIN\Administrators 4
> > > > > 3000012 => NT AUTHORITY\Authenticated Users 5
> > > > > 3000017 => BUILTIN\Server Operators 4
> > > > > 3000018 => NT AUTHORITY\SYSTEM 5
> > > > > which seems to be reasonable (are them?)
> > > > > 
> > > > > On kdc01 I see
> > > > > 4       => local adm group
> > > > > 3000006 => BUILTIN\Server Operators 4
> > > > > 3000007 => SAITEL\Schema Admins 2 (OVERLAPPED adding my group)
> > > > > 3000008 => NT AUTHORITY\Authenticated Users 5
> > > > > 
> > > > > @Rowland: 
> > > > > 
> > > > > >
> > > > > > Hi, you never posted just what distro you are using (or if you did, I 
> > > > > > missed it), but mapping Administrators to '4' is not a good idea, I 
> > > > > > learnt the hard way with 'Domain Users' !!
> > > > > 
> > > > > I'm working with ubuntu 12.04 server (kdc01 is a 32 bit VM with samba
> > > > > 4.1.0 and kdc03 is a 64 bit physical machine with samba 4.1.7)
> > > > > I provisioned the domain on kdc01 adding anything to what stated in the
> > > > > wiki (at least on the time i provisioned) so it was not my choice to map
> > > > > Administrators to '4', it was by default I think.
> > > > > 
> > > > > > 
> > > > > > On Debian based distro's '4' is the adm group, so mapping to this,
> > > > > would 
> > > > > > seem a good idea, but not when you really start to think about it. If 
> > > > > > you use winbind with the 'ad' backend you will have to set the domain 
> > > > > > range to start at '0' to pull these low end users/groups, not a good
> > > > > idea.
> > > > > > 
> > > > > > I do not recommend mapping the majority of windows groups with 
> > > > > > gidNumber's, except for Domain Users & Domain Admins, and I would
> > > > > also 
> > > > > > suggest that you decide on just where your range is going to start 
> > > > > > (4000001 is a good place) then map the two windows groups to the
> > > > > start 
> > > > > > of this range.
> > > > > > 
> > > > > > Rowland
> > > > > > 
> > > > > 
> > > > > So let me ask if I got it right:
> > > > > - only add gidNumber to Domain Users & Domain Admins and not to the
> > > > > groups I create?
> > > > You must also add gidNumber to the groups you create.
> > > > 
> > > > > - start mapping from 4000000 to avoid overlapping with windows
> > > > > users/groups?
> > > > > 
> > > > Yes.
> > > > > Another question: would it be possible to "remap" the BUILTIN
> > > > > \Administrators group to a value different from '4'?
> > > > Yes, just change the xidNumber.
> > > > > And anyway I cannot preserve the same gidNuber for the Windows groups so
> > > > > rsyncing sysvol will brake the folder and would need to perform a
> > > > > sysvolreset am I right?
> > > > Yes, BUT be careful because your xidNumbers for the builtin groups are
> > > > already different between dc01 and dc03:( Maybe we've overlooked
> > > > something but as we said in the last post, the only way we've
> > > > successfully got sysvol rsynced is by the idmap db transfer.
> > > > > 
> > > > > Again thanks for your help,
> > > > > Daniele.
> > > > > 
> > > > 
> > > > 
> > > 
> > > Mh. But if I stop kdc01 and copy idmap.ldb from kdc03 which seems to
> > > have reasonable xids than restart samba and perform a sysvolreset would
> > > it work and align xids too?
> > > 
> > Backup and try it with a sysvol reset after the transfer. The gid for
> > the builtin can only come from idmap as far as we can see. There is
> > nothing stored in the directory for them gidwise.
> >  
> > > Sorry for being so pedant but I've never played with this and even if I
> > > read and google nothing seems to teach better than somebody who knows
> > > more than me :)
> > 
> > No problem. We'd like to know the answer too. We can confirm it works on
> > a new DC before starting it.
> >  
> > 
> 
> Ok: tried to copy idmap.ldb from kd03 to kdc01 and after restarting
> samba and running a sysvolreset the xids are the same on both DCs :)
OK the xidNumbers would be the same, but has the sysvol reset made
sysvol identical on both dcs now? 
If so, perfect. Thank you for confirming that it works on a running
domain.
> 
> Now, can you explain me: if the AD range is 3000000:4000000, why do you
> suggest to map my users and groups (adding also Domain Users and Domain
> Admins) starting from 4000000? Wouldn't they be out of the given range?
> Or that range is the range reserved to Windows staff?
> 
3000000-4000000 is reserved for idmap. Change the upper limit there if
you don't like it. If you choose something within that range for your
own objects then you could theoretically clash with it. Windows doesn't
care about what range you use.
HTH
Steve




More information about the samba-technical mailing list