wellknown and uid/gid interactions on multi DC samba AD domain
steve
steve at steve-ss.com
Wed May 14 08:07:24 MDT 2014
On Wed, 2014-05-14 at 15:53 +0200, Daniele Dario wrote:
>
> On mer, 2014-05-14 at 14:30 +0100, Rowland Penny wrote:
> > On 14/05/14 14:19, Daniele Dario wrote:
> > >
> > > On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
> > >> On 14/05/14 14:06, Daniele Dario wrote:
> > >>> On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
> > >>>> On 14/05/14 13:57, Daniele Dario wrote:
> > >>>>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
> > >>>>>> On 14/05/14 13:26, Daniele Dario wrote:
> > >>>>>>> Hi again,
> > >>>>>>>
> > >>>>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> > >>>>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
> > >>>>>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
> > >>>>>>>>>
> > >>>>>>>> Well done.
> > >>>>>>>>
> > >>>>>>>>> I have a question about the sysvol: I noticed that the group of the
> > >>>>>>>>> sysvol folder is different on the two DCs.
> > >>>>>>>>> On the 1st DC (4.1.0):
> > >>>>>>>>> [root at kdc01:locks]# ls -n sysvol/
> > >>>>>>>>> total 8
> > >>>>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24 2012 saitel.loc
> > >>>>>>>>>
> > >>>>>>>>> On the 2nd DC (4.1.7):
> > >>>>>>>>> [root at kdc03:locks]# ls -n sysvol/
> > >>>>>>>>> total 8
> > >>>>>>>>> drwxrwx---+ 4 0 3000000 4096 May 8 16:18 saitel.loc
> > >>>>>>>>>
> > >>>>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
> > >>>>>>>>> S-1-5-32-544
> > >>>>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> > >>>>>>>>> BUILTIN\Administrators 4
> > >>>>>>>>>
> > >>>>>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> > >>>>>>>>> same as on the other one.
> > >>>>>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
> > >>>>>>> On kdc01 I get
> > >>>>>>> # record 53
> > >>>>>>> dn: CN=S-1-5-32-544
> > >>>>>>> cn: S-1-5-32-544
> > >>>>>>> objectClass: sidMap
> > >>>>>>> objectSid: S-1-5-32-544
> > >>>>>>> type: ID_TYPE_GID
> > >>>>>>> xidNumber: 4
> > >>>>>>> distinguishedName: CN=S-1-5-32-544
> > >>>>>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
> > >>>>>> system, it should contain this:
> > >>>>>>
> > >>>>>> dn: CN=CONFIG
> > >>>>>> cn: CONFIG
> > >>>>>> lowerBound: 3000000
> > >>>>>> upperBound: 4000000
> > >>>>>>
> > >>>>>> dn: @INDEXLIST
> > >>>>>> @IDXATTR: xidNumber
> > >>>>>> @IDXATTR: objectSid
> > >>>>>>
> > >>>>>> and '4' is a lot lower than '3000000' ;-)
> > >>>>>>
> > >>>>>> Rowland
> > >>>>>>
> > >>>>> No I didn't. Would it be possible that when I provisioned the domain
> > >>>>> (can't remember the right number but it was one of the latest alpha
> > >>>>> releases) it was different?
> > >>>> Possibly, I think that we need to find out just what version you are
> > >>>> running, 'samba -V' should give us this.
> > >>> Sorry but samba -V tells 4.1.0 on kdc01 because I upgraded it almost on
> > >>> every release until 4.1.0 has been released.
> > >>>
> > >>>>> And what about the difference in type? On the older I have type:
> > >>>>> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.
> > >>>> I seem to remember there being a problem like this, but cannot remember
> > >>>> just when.
> > >>>>
> > >>>> Rowland
> > >>>>
> > >>>>> Daniele.
> > >>>>>
> > >> Could you please post the smb.conf from both DC's
> > >>
> > >> Rowland
> > >>
> > > Here they are:
> > >
> > > kdc01:
> > >
> > > # Global parameters
> > > [global]
> > > workgroup = SAITEL
> > > realm = saitel.loc
> > > netbios name = KDC01
> > > server role = active directory domain controller
> > > dns forwarder = 8.8.8.8
> > > idmap_ldb:use rfc2307 = yes
> > > template shell = /bin/bash
> > > log file = /var/log/log.samba
> > > log level = 2
> > > max log size = 10000
> > >
> > > printcap name = /dev/null
> > > load printers = no
> > > printing = bsd
> > >
> > > [netlogon]
> > > path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > read only = No
> > >
> > > [sysvol]
> > > path = /usr/local/samba/var/locks/sysvol
> > > read only = No
> > >
> > > kdc03:
> > >
> > > # Global parameters
> > > [global]
> > > workgroup = SAITEL
> > > realm = saitel.loc
> > > netbios name = KDC03
> > > server role = active directory domain controller
> > > dns forwarder = 8.8.8.8
> > > idmap_ldb:use rfc2307 = yes
> > > template shell = /bin/bash
> > > log file = /var/log/log.samba
> > > log level = 2
> > >
> > > printing = cups
> > > printcap name = /var/run/cups/printcap
> > > load printers = yes
> > >
> > > rpc_server:spoolss = external
> > > rpc_daemon:spoolssd = fork
> > >
> > > [netlogon]
> > > path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > read only = no
> > >
> > > [sysvol]
> > > path = /usr/local/samba/var/locks/sysvol
> > > read only = no
> > >
> > > [printers]
> > > path = /var/spool/samba
> > > printable = yes
> > > printing = CUPS
> > >
> > > [print$]
> > > path = /srv/samba/Printer_drivers
> > > comment = Printer Drivers
> > > writeable = yes
> > >
> > > [homes]
> > > read only = no
> > >
> > > ... all the network shares
> > >
> > > On kdc03 I'm also trying to get the print server but this will be
> > > another story I guess :)
> > >
> > > Daniele.
> > >
> > I cannot see any problem there, I have also done a dive into the samba
> > archives and as far as I can see the idmap.ldb range has always started
> > at 3000000, so where that '4' comes from I have no idea.
> >
> > I think that somehow you need to get your first DC setup (idmap.ldb
> > wise) like your second DC, run sysvolreset on your first DC, rsync
> > sysvol to second DC and then sysvolreset your second DC.
> >
> > Rowland
> >
>
> I tried to copy idmap.ldb from the second DC than after starting samba I
> performed a sysvolreset and now permissions seems to match.
>
> I'll try to rsync sysvol now and see if sysvolcheck says that everything
> is ok.
>
> The problem is that running a sysvolcheck tells me:
>
> [root at kdc01:~]# samba-tool ntacl sysvolcheck
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO
> directory /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 249, in run
> lp)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1695, in checksysvolacl
> direct_db_access)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl
> domainsid, direct_db_access)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' % (acl_type(direct_db_access),
> path, fsacl_sddl, acl))
>
> The same happens on kdc03 even if I just performed a sysvolreset.
>
> The difference is on top: LAG vs DAG but I don't know what it means.
>
> Daniele.
>
did you rsync sysvol from dc03 before you ran the sysvolreset?
More information about the samba-technical
mailing list