wellknown and uid/gid interactions on multi DC samba AD domain
Daniele Dario
d.dario76 at gmail.com
Wed May 14 08:15:22 MDT 2014
On mer, 2014-05-14 at 16:07 +0200, steve wrote:
> On Wed, 2014-05-14 at 15:53 +0200, Daniele Dario wrote:
> >
> > On mer, 2014-05-14 at 14:30 +0100, Rowland Penny wrote:
> > > On 14/05/14 14:19, Daniele Dario wrote:
> > > >
> > > > On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
> > > >> On 14/05/14 14:06, Daniele Dario wrote:
> > > >>> On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
> > > >>>> On 14/05/14 13:57, Daniele Dario wrote:
> > > >>>>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
> > > >>>>>> On 14/05/14 13:26, Daniele Dario wrote:
> > > >>>>>>> Hi again,
> > > >>>>>>>
> > > >>>>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> > > >>>>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
> > > >>>>>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
> > > >>>>>>>>>
> > > >>>>>>>> Well done.
> > > >>>>>>>>
> > > >>>>>>>>> I have a question about the sysvol: I noticed that the group of the
> > > >>>>>>>>> sysvol folder is different on the two DCs.
> > > >>>>>>>>> On the 1st DC (4.1.0):
> > > >>>>>>>>> [root at kdc01:locks]# ls -n sysvol/
> > > >>>>>>>>> total 8
> > > >>>>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24 2012 saitel.loc
> > > >>>>>>>>>
> > > >>>>>>>>> On the 2nd DC (4.1.7):
> > > >>>>>>>>> [root at kdc03:locks]# ls -n sysvol/
> > > >>>>>>>>> total 8
> > > >>>>>>>>> drwxrwx---+ 4 0 3000000 4096 May 8 16:18 saitel.loc
> > > >>>>>>>>>
> > > >>>>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
> > > >>>>>>>>> S-1-5-32-544
> > > >>>>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> > > >>>>>>>>> BUILTIN\Administrators 4
> > > >>>>>>>>>
> > > >>>>>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> > > >>>>>>>>> same as on the other one.
> > > >>>>>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
> > > >>>>>>> On kdc01 I get
> > > >>>>>>> # record 53
> > > >>>>>>> dn: CN=S-1-5-32-544
> > > >>>>>>> cn: S-1-5-32-544
> > > >>>>>>> objectClass: sidMap
> > > >>>>>>> objectSid: S-1-5-32-544
> > > >>>>>>> type: ID_TYPE_GID
> > > >>>>>>> xidNumber: 4
> > > >>>>>>> distinguishedName: CN=S-1-5-32-544
> > > >>>>>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
> > > >>>>>> system, it should contain this:
> > > >>>>>>
> > > >>>>>> dn: CN=CONFIG
> > > >>>>>> cn: CONFIG
> > > >>>>>> lowerBound: 3000000
> > > >>>>>> upperBound: 4000000
> > > >>>>>>
> > > >>>>>> dn: @INDEXLIST
> > > >>>>>> @IDXATTR: xidNumber
> > > >>>>>> @IDXATTR: objectSid
> > > >>>>>>
> > > >>>>>> and '4' is a lot lower than '3000000' ;-)
> > > >>>>>>
> > > >>>>>> Rowland
> > > >>>>>>
> > > >>>>> No I didn't. Would it be possible that when I provisioned the domain
> > > >>>>> (can't remember the right number but it was one of the latest alpha
> > > >>>>> releases) it was different?
> > > >>>> Possibly, I think that we need to find out just what version you are
> > > >>>> running, 'samba -V' should give us this.
> > > >>> Sorry but samba -V tells 4.1.0 on kdc01 because I upgraded it almost on
> > > >>> every release until 4.1.0 has been released.
> > > >>>
> > > >>>>> And what about the difference in type? On the older I have type:
> > > >>>>> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.
> > > >>>> I seem to remember there being a problem like this, but cannot remember
> > > >>>> just when.
> > > >>>>
> > > >>>> Rowland
> > > >>>>
> > > >>>>> Daniele.
> > > >>>>>
> > > >> Could you please post the smb.conf from both DC's
> > > >>
> > > >> Rowland
> > > >>
> > > > Here they are:
> > > >
> > > > kdc01:
> > > >
> > > > # Global parameters
> > > > [global]
> > > > workgroup = SAITEL
> > > > realm = saitel.loc
> > > > netbios name = KDC01
> > > > server role = active directory domain controller
> > > > dns forwarder = 8.8.8.8
> > > > idmap_ldb:use rfc2307 = yes
> > > > template shell = /bin/bash
> > > > log file = /var/log/log.samba
> > > > log level = 2
> > > > max log size = 10000
> > > >
> > > > printcap name = /dev/null
> > > > load printers = no
> > > > printing = bsd
> > > >
> > > > [netlogon]
> > > > path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > > read only = No
> > > >
> > > > [sysvol]
> > > > path = /usr/local/samba/var/locks/sysvol
> > > > read only = No
> > > >
> > > > kdc03:
> > > >
> > > > # Global parameters
> > > > [global]
> > > > workgroup = SAITEL
> > > > realm = saitel.loc
> > > > netbios name = KDC03
> > > > server role = active directory domain controller
> > > > dns forwarder = 8.8.8.8
> > > > idmap_ldb:use rfc2307 = yes
> > > > template shell = /bin/bash
> > > > log file = /var/log/log.samba
> > > > log level = 2
> > > >
> > > > printing = cups
> > > > printcap name = /var/run/cups/printcap
> > > > load printers = yes
> > > >
> > > > rpc_server:spoolss = external
> > > > rpc_daemon:spoolssd = fork
> > > >
> > > > [netlogon]
> > > > path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > > read only = no
> > > >
> > > > [sysvol]
> > > > path = /usr/local/samba/var/locks/sysvol
> > > > read only = no
> > > >
> > > > [printers]
> > > > path = /var/spool/samba
> > > > printable = yes
> > > > printing = CUPS
> > > >
> > > > [print$]
> > > > path = /srv/samba/Printer_drivers
> > > > comment = Printer Drivers
> > > > writeable = yes
> > > >
> > > > [homes]
> > > > read only = no
> > > >
> > > > ... all the network shares
> > > >
> > > > On kdc03 I'm also trying to get the print server but this will be
> > > > another story I guess :)
> > > >
> > > > Daniele.
> > > >
> > > I cannot see any problem there, I have also done a dive into the samba
> > > archives and as far as I can see the idmap.ldb range has always started
> > > at 3000000, so where that '4' comes from I have no idea.
> > >
> > > I think that somehow you need to get your first DC setup (idmap.ldb
> > > wise) like your second DC, run sysvolreset on your first DC, rsync
> > > sysvol to second DC and then sysvolreset your second DC.
> > >
> > > Rowland
> > >
> >
> > I tried to copy idmap.ldb from the second DC than after starting samba I
> > performed a sysvolreset and now permissions seems to match.
> >
> > I'll try to rsync sysvol now and see if sysvolcheck says that everything
> > is ok.
> >
> > The problem is that running a sysvolcheck tells me:
> >
> > [root at kdc01:~]# samba-tool ntacl sysvolcheck
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384)
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: DB ACL on GPO
> > directory /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 249, in run
> > lp)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1695, in checksysvolacl
> > direct_db_access)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl
> > domainsid, direct_db_access)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in check_dir_acl
> > raise ProvisioningError('%s ACL on GPO directory %s %s does not
> > match expected value %s from GPO object' % (acl_type(direct_db_access),
> > path, fsacl_sddl, acl))
> >
> > The same happens on kdc03 even if I just performed a sysvolreset.
> >
> > The difference is on top: LAG vs DAG but I don't know what it means.
> >
> > Daniele.
> >
> did you rsync sysvol from dc03 before you ran the sysvolreset?
>
No. I synced fomr kdc01 to kdc03 when I joined kdc03 as DC to the
domain. Than I made a sysvolreset on kdc03.
Now I copied idmap from kdc03 to kdc01 and than made a sysvolreset on
kdc01 to align ownerships.
More information about the samba-technical
mailing list