wellknown and uid/gid interactions on multi DC samba AD domain

Chan Min Wai dcmwai at gmail.com
Thu May 15 04:14:24 MDT 2014


Dear Steven,

What the hack is that... :)



On Thu, May 15, 2014 at 5:57 PM, steve <steve at steve-ss.com> wrote:

> On Thu, 2014-05-15 at 11:18 +0200, Daniele Dario wrote:
> >
> > On mer, 2014-05-14 at 16:54 +0200, Daniele Dario wrote:
> > >
> > > On mer, 2014-05-14 at 16:32 +0200, steve wrote:
> > > > On Wed, 2014-05-14 at 16:15 +0200, Daniele Dario wrote:
> > > > >
> > > > > On mer, 2014-05-14 at 16:07 +0200, steve wrote:
> > > > > > On Wed, 2014-05-14 at 15:53 +0200, Daniele Dario wrote:
> > > > > > >
> > > > > > > On mer, 2014-05-14 at 14:30 +0100, Rowland Penny wrote:
> > > > > > > > On 14/05/14 14:19, Daniele Dario wrote:
> > > > > > > > >
> > > > > > > > > On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
> > > > > > > > >> On 14/05/14 14:06, Daniele Dario wrote:
> > > > > > > > >>> On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
> > > > > > > > >>>> On 14/05/14 13:57, Daniele Dario wrote:
> > > > > > > > >>>>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
> > > > > > > > >>>>>> On 14/05/14 13:26, Daniele Dario wrote:
> > > > > > > > >>>>>>> Hi again,
> > > > > > > > >>>>>>>
> > > > > > > > >>>>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> > > > > > > > >>>>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario
> wrote:
> > > > > > > > >>>>>>>>> Now as you said the uids/gids are the same on the
> 2 DCs so again thanks.
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>> Well done.
> > > > > > > > >>>>>>>>
> > > > > > > > >>>>>>>>> I have a question about the sysvol: I noticed that
> the group of the
> > > > > > > > >>>>>>>>> sysvol folder is different on the two DCs.
> > > > > > > > >>>>>>>>> On the 1st DC (4.1.0):
> > > > > > > > >>>>>>>>> [root at kdc01:locks]# ls -n sysvol/
> > > > > > > > >>>>>>>>> total 8
> > > > > > > > >>>>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>>> On the 2nd DC (4.1.7):
> > > > > > > > >>>>>>>>> [root at kdc03:locks]# ls -n sysvol/
> > > > > > > > >>>>>>>>> total 8
> > > > > > > > >>>>>>>>> drwxrwx---+ 4 0 3000000 4096 May  8 16:18
> saitel.loc
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
> > > > > > > > >>>>>>>>> S-1-5-32-544
> > > > > > > > >>>>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> > > > > > > > >>>>>>>>> BUILTIN\Administrators 4
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>>> If I read it correctly BUILTIN\Administrators
> should be mapped as 4 so
> > > > > > > > >>>>>>>>> same as on the other one.
> > > > > > > > >>>>>>>> What does S-1-5-32-544 look like in the respective
> idmap.ldb dbs?
> > > > > > > > >>>>>>> On kdc01 I get
> > > > > > > > >>>>>>> # record 53
> > > > > > > > >>>>>>> dn: CN=S-1-5-32-544
> > > > > > > > >>>>>>> cn: S-1-5-32-544
> > > > > > > > >>>>>>> objectClass: sidMap
> > > > > > > > >>>>>>> objectSid: S-1-5-32-544
> > > > > > > > >>>>>>> type: ID_TYPE_GID
> > > > > > > > >>>>>>> xidNumber: 4
> > > > > > > > >>>>>>> distinguishedName: CN=S-1-5-32-544
> > > > > > > > >>>>>> Have you altered idmap.ldb ?? if you find
> 'idmap_init.ldif' on your
> > > > > > > > >>>>>> system, it should contain this:
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> dn: CN=CONFIG
> > > > > > > > >>>>>> cn: CONFIG
> > > > > > > > >>>>>> lowerBound: 3000000
> > > > > > > > >>>>>> upperBound: 4000000
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> dn: @INDEXLIST
> > > > > > > > >>>>>> @IDXATTR: xidNumber
> > > > > > > > >>>>>> @IDXATTR: objectSid
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> and '4' is a lot lower than '3000000' ;-)
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> Rowland
> > > > > > > > >>>>>>
> > > > > > > > >>>>> No I didn't. Would it be possible that when I
> provisioned the domain
> > > > > > > > >>>>> (can't remember the right number but it was one of the
> latest alpha
> > > > > > > > >>>>> releases) it was different?
> > > > > > > > >>>> Possibly, I think that we need to find out just what
> version you are
> > > > > > > > >>>> running, 'samba -V' should give us this.
> > > > > > > > >>> Sorry but samba -V tells 4.1.0 on kdc01 because I
> upgraded it almost on
> > > > > > > > >>> every release until 4.1.0 has been released.
> > > > > > > > >>>
> > > > > > > > >>>>> And what about the difference in type? On the older I
> have type:
> > > > > > > > >>>>> ID_TYPE_GID and in the newly added I have type:
> ID_TYPE_BOTH.
> > > > > > > > >>>> I seem to remember there being a problem like this, but
> cannot remember
> > > > > > > > >>>> just when.
> > > > > > > > >>>>
> > > > > > > > >>>> Rowland
> > > > > > > > >>>>
> > > > > > > > >>>>> Daniele.
> > > > > > > > >>>>>
> > > > > > > > >> Could you please post the smb.conf from both DC's
> > > > > > > > >>
> > > > > > > > >> Rowland
> > > > > > > > >>
> > > > > > > > > Here they are:
> > > > > > > > >
> > > > > > > > > kdc01:
> > > > > > > > >
> > > > > > > > > # Global parameters
> > > > > > > > > [global]
> > > > > > > > >          workgroup = SAITEL
> > > > > > > > >          realm = saitel.loc
> > > > > > > > >          netbios name = KDC01
> > > > > > > > >          server role = active directory domain controller
> > > > > > > > >          dns forwarder = 8.8.8.8
> > > > > > > > >          idmap_ldb:use rfc2307 = yes
> > > > > > > > >          template shell = /bin/bash
> > > > > > > > >          log file = /var/log/log.samba
> > > > > > > > >          log level = 2
> > > > > > > > >          max log size = 10000
> > > > > > > > >
> > > > > > > > >          printcap name = /dev/null
> > > > > > > > >          load printers = no
> > > > > > > > >          printing = bsd
> > > > > > > > >
> > > > > > > > > [netlogon]
> > > > > > > > >          path =
> /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > > > > > > >          read only = No
> > > > > > > > >
> > > > > > > > > [sysvol]
> > > > > > > > >          path = /usr/local/samba/var/locks/sysvol
> > > > > > > > >          read only = No
> > > > > > > > >
> > > > > > > > > kdc03:
> > > > > > > > >
> > > > > > > > > # Global parameters
> > > > > > > > > [global]
> > > > > > > > >          workgroup = SAITEL
> > > > > > > > >          realm = saitel.loc
> > > > > > > > >          netbios name = KDC03
> > > > > > > > >          server role = active directory domain controller
> > > > > > > > >          dns forwarder = 8.8.8.8
> > > > > > > > >          idmap_ldb:use rfc2307 = yes
> > > > > > > > >          template shell = /bin/bash
> > > > > > > > >          log file = /var/log/log.samba
> > > > > > > > >          log level = 2
> > > > > > > > >
> > > > > > > > >          printing = cups
> > > > > > > > >          printcap name = /var/run/cups/printcap
> > > > > > > > >          load printers = yes
> > > > > > > > >
> > > > > > > > >          rpc_server:spoolss = external
> > > > > > > > >          rpc_daemon:spoolssd = fork
> > > > > > > > >
> > > > > > > > > [netlogon]
> > > > > > > > >          path =
> /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > > > > > > >          read only = no
> > > > > > > > >
> > > > > > > > > [sysvol]
> > > > > > > > >          path = /usr/local/samba/var/locks/sysvol
> > > > > > > > >          read only = no
> > > > > > > > >
> > > > > > > > > [printers]
> > > > > > > > >          path = /var/spool/samba
> > > > > > > > >          printable = yes
> > > > > > > > >          printing = CUPS
> > > > > > > > >
> > > > > > > > > [print$]
> > > > > > > > >          path = /srv/samba/Printer_drivers
> > > > > > > > >          comment = Printer Drivers
> > > > > > > > >          writeable = yes
> > > > > > > > >
> > > > > > > > > [homes]
> > > > > > > > >          read only = no
> > > > > > > > >
> > > > > > > > > ... all the network shares
> > > > > > > > >
> > > > > > > > > On kdc03 I'm also trying to get the print server but this
> will be
> > > > > > > > > another story I guess :)
> > > > > > > > >
> > > > > > > > > Daniele.
> > > > > > > > >
> > > > > > > > I cannot see any problem there, I have also done a dive into
> the samba
> > > > > > > > archives and as far as I can see the idmap.ldb range has
> always started
> > > > > > > > at 3000000, so where that '4' comes from I have no idea.
> > > > > > > >
> > > > > > > > I think that somehow you need to get your first DC setup
> (idmap.ldb
> > > > > > > > wise) like your second DC, run sysvolreset on your first DC,
> rsync
> > > > > > > > sysvol to second DC and then sysvolreset your second DC.
> > > > > > > >
> > > > > > > > Rowland
> > > > > > > >
> > > > > > >
> > > > > > > I tried to copy idmap.ldb from the second DC than after
> starting samba I
> > > > > > > performed a sysvolreset and now permissions seems to match.
> > > > > > >
> > > > > > > I'll try to rsync sysvol now and see if sysvolcheck says that
> everything
> > > > > > > is ok.
> > > > > > >
> > > > > > > The problem is that running a sysvolcheck tells me:
> > > > > > >
> > > > > > > [root at kdc01:~]# samba-tool ntacl sysvolcheck
> > > > > > > rlimit_max: increasing rlimit_max (1024) to minimum Windows
> limit
> > > > > > > (16384)
> > > > > > > Processing section "[netlogon]"
> > > > > > > Processing section "[sysvol]"
> > > > > > > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception -
> > > > > > > ProvisioningError: DB ACL on GPO
> > > > > > > directory
> /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> > > > > > >   File
> > > > > > >
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > > > > > > line 175, in _run
> > > > > > >     return self.run(*args, **kwargs)
> > > > > > >   File
> > > > > > >
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > > > > > > line 249, in run
> > > > > > >     lp)
> > > > > > >   File
> > > > > > >
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1695, in checksysvolacl
> > > > > > >     direct_db_access)
> > > > > > >   File
> > > > > > >
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1646, in check_gpos_acl
> > > > > > >     domainsid, direct_db_access)
> > > > > > >   File
> > > > > > >
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1593, in check_dir_acl
> > > > > > >     raise ProvisioningError('%s ACL on GPO directory %s %s
> does not
> > > > > > > match expected value %s from GPO object' %
> (acl_type(direct_db_access),
> > > > > > > path, fsacl_sddl, acl))
> > > > > > >
> > > > > > > The same happens on kdc03 even if I just performed a
> sysvolreset.
> > > > So sysvolreet has never worked on kdc03?
> > >
> > > samba-tool ntacl sysvolreset on kdc03 (and also on kdc01) seems to work
> > > fine because it doesn't report any error.
> > >
> > > Ownerships seems the same on both sysvol folders but if I run
> sysvolceck
> > > I get the error above.
> > >
> > > Maybe the problem is that I still have clashes: I still have to update
> > > uidNumbers and gidNumbers of my users/groups over the idmap range.
> > > I'll get back after the change.
> > >
> > > Daniele.
> > >
> > > > > > >
> > > > > > > The difference is on top: LAG vs DAG but I don't know what it
> means.
> > > > > > >
> > > > > > > Daniele.
> > > > > > >
> > > > > > did you rsync sysvol from dc03 before you ran the sysvolreset?
> > > > > >
> > > > >
> > > > > No. I synced fomr kdc01 to kdc03 when I joined kdc03 as DC to the
> > > > > domain. Than I made a sysvolreset on kdc03.
> > > > > Now I copied idmap from kdc03 to kdc01 and than made a sysvolreset
> on
> > > > > kdc01 to align ownerships.
> > > > >
> > > >
> > > > rsync from dc03 to dc01 and try again. Are you sure you rsync
> > > > recursively? Something like: -AXauzv
> > > >
> > > >
> > >
> > >
> >
> > Ok, had some trouble but now I moved Domain Users, Domain Admins, Domain
> > Guests, Domain Computers, Guest, and all my own staff starting from
> > 4000001 so I would not have clashes.
> >
> > Performing a sysvolreset it seems to work (even if I get a lot of idmap
> > range not specified for domain '*' during its execution) but I still see
> > that when I perform a sysvolcheck I get the error:
> >
> > [root at kdc01:~]# samba-tool ntacl sysvolcheck
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384)
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: DB ACL on GPO
> > directory
> /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 249, in run
> >     lp)
> >   File
> >
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1695, in checksysvolacl
> >     direct_db_access)
> >   File
> >
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1646, in check_gpos_acl
> >     domainsid, direct_db_access)
> >   File
> >
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1593, in check_dir_acl
> >     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> > match expected value %s from GPO object' % (acl_type(direct_db_access),
> > path, fsacl_sddl, acl))
> >
> > and this happens on all DCs (even after sysvolreset).
> >
> > Daniele.
> >
>
> If the GPO isn't working, try a big hammer:
> samba-tool ntacl set
> 'O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)'
> /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> We are in the lab here, aren't we?
>
>


More information about the samba-technical mailing list