wellknown and uid/gid interactions on multi DC samba AD domain

Daniele Dario d.dario76 at gmail.com
Thu May 15 05:33:54 MDT 2014



On gio, 2014-05-15 at 11:57 +0200, steve wrote:
> On Thu, 2014-05-15 at 11:18 +0200, Daniele Dario wrote:
> > 
> > On mer, 2014-05-14 at 16:54 +0200, Daniele Dario wrote:
> > > 
> > > On mer, 2014-05-14 at 16:32 +0200, steve wrote:
> > > > On Wed, 2014-05-14 at 16:15 +0200, Daniele Dario wrote:
> > > > > 
> > > > > On mer, 2014-05-14 at 16:07 +0200, steve wrote:
> > > > > > On Wed, 2014-05-14 at 15:53 +0200, Daniele Dario wrote:
> > > > > > > 
> > > > > > > On mer, 2014-05-14 at 14:30 +0100, Rowland Penny wrote:
> > > > > > > > On 14/05/14 14:19, Daniele Dario wrote:
> > > > > > > > >
> > > > > > > > > On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
> > > > > > > > >> On 14/05/14 14:06, Daniele Dario wrote:
> > > > > > > > >>> On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
> > > > > > > > >>>> On 14/05/14 13:57, Daniele Dario wrote:
> > > > > > > > >>>>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
> > > > > > > > >>>>>> On 14/05/14 13:26, Daniele Dario wrote:
> > > > > > > > >>>>>>> Hi again,
> > > > > > > > >>>>>>>
> > > > > > > > >>>>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> > > > > > > > >>>>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
> > > > > > > > >>>>>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>> Well done.
> > > > > > > > >>>>>>>>
> > > > > > > > >>>>>>>>> I have a question about the sysvol: I noticed that the group of the
> > > > > > > > >>>>>>>>> sysvol folder is different on the two DCs.
> > > > > > > > >>>>>>>>> On the 1st DC (4.1.0):
> > > > > > > > >>>>>>>>> [root at kdc01:locks]# ls -n sysvol/
> > > > > > > > >>>>>>>>> total 8
> > > > > > > > >>>>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>>> On the 2nd DC (4.1.7):
> > > > > > > > >>>>>>>>> [root at kdc03:locks]# ls -n sysvol/
> > > > > > > > >>>>>>>>> total 8
> > > > > > > > >>>>>>>>> drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
> > > > > > > > >>>>>>>>> S-1-5-32-544
> > > > > > > > >>>>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> > > > > > > > >>>>>>>>> BUILTIN\Administrators 4
> > > > > > > > >>>>>>>>>
> > > > > > > > >>>>>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> > > > > > > > >>>>>>>>> same as on the other one.
> > > > > > > > >>>>>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
> > > > > > > > >>>>>>> On kdc01 I get
> > > > > > > > >>>>>>> # record 53
> > > > > > > > >>>>>>> dn: CN=S-1-5-32-544
> > > > > > > > >>>>>>> cn: S-1-5-32-544
> > > > > > > > >>>>>>> objectClass: sidMap
> > > > > > > > >>>>>>> objectSid: S-1-5-32-544
> > > > > > > > >>>>>>> type: ID_TYPE_GID
> > > > > > > > >>>>>>> xidNumber: 4
> > > > > > > > >>>>>>> distinguishedName: CN=S-1-5-32-544
> > > > > > > > >>>>>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
> > > > > > > > >>>>>> system, it should contain this:
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> dn: CN=CONFIG
> > > > > > > > >>>>>> cn: CONFIG
> > > > > > > > >>>>>> lowerBound: 3000000
> > > > > > > > >>>>>> upperBound: 4000000
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> dn: @INDEXLIST
> > > > > > > > >>>>>> @IDXATTR: xidNumber
> > > > > > > > >>>>>> @IDXATTR: objectSid
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> and '4' is a lot lower than '3000000' ;-)
> > > > > > > > >>>>>>
> > > > > > > > >>>>>> Rowland
> > > > > > > > >>>>>>
> > > > > > > > >>>>> No I didn't. Would it be possible that when I provisioned the domain
> > > > > > > > >>>>> (can't remember the right number but it was one of the latest alpha
> > > > > > > > >>>>> releases) it was different?
> > > > > > > > >>>> Possibly, I think that we need to find out just what version you are
> > > > > > > > >>>> running, 'samba -V' should give us this.
> > > > > > > > >>> Sorry but samba -V tells 4.1.0 on kdc01 because I upgraded it almost on
> > > > > > > > >>> every release until 4.1.0 has been released.
> > > > > > > > >>>
> > > > > > > > >>>>> And what about the difference in type? On the older I have type:
> > > > > > > > >>>>> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.
> > > > > > > > >>>> I seem to remember there being a problem like this, but cannot remember
> > > > > > > > >>>> just when.
> > > > > > > > >>>>
> > > > > > > > >>>> Rowland
> > > > > > > > >>>>
> > > > > > > > >>>>> Daniele.
> > > > > > > > >>>>>
> > > > > > > > >> Could you please post the smb.conf from both DC's
> > > > > > > > >>
> > > > > > > > >> Rowland
> > > > > > > > >>
> > > > > > > > > Here they are:
> > > > > > > > >
> > > > > > > > > kdc01:
> > > > > > > > >
> > > > > > > > > # Global parameters
> > > > > > > > > [global]
> > > > > > > > >          workgroup = SAITEL
> > > > > > > > >          realm = saitel.loc
> > > > > > > > >          netbios name = KDC01
> > > > > > > > >          server role = active directory domain controller
> > > > > > > > >          dns forwarder = 8.8.8.8
> > > > > > > > >          idmap_ldb:use rfc2307 = yes
> > > > > > > > >          template shell = /bin/bash
> > > > > > > > >          log file = /var/log/log.samba
> > > > > > > > >          log level = 2
> > > > > > > > >          max log size = 10000
> > > > > > > > >
> > > > > > > > >          printcap name = /dev/null
> > > > > > > > >          load printers = no
> > > > > > > > >          printing = bsd
> > > > > > > > >
> > > > > > > > > [netlogon]
> > > > > > > > >          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > > > > > > >          read only = No
> > > > > > > > >
> > > > > > > > > [sysvol]
> > > > > > > > >          path = /usr/local/samba/var/locks/sysvol
> > > > > > > > >          read only = No
> > > > > > > > >
> > > > > > > > > kdc03:
> > > > > > > > >
> > > > > > > > > # Global parameters
> > > > > > > > > [global]
> > > > > > > > >          workgroup = SAITEL
> > > > > > > > >          realm = saitel.loc
> > > > > > > > >          netbios name = KDC03
> > > > > > > > >          server role = active directory domain controller
> > > > > > > > >          dns forwarder = 8.8.8.8
> > > > > > > > >          idmap_ldb:use rfc2307 = yes
> > > > > > > > >          template shell = /bin/bash
> > > > > > > > >          log file = /var/log/log.samba
> > > > > > > > >          log level = 2
> > > > > > > > >
> > > > > > > > >          printing = cups
> > > > > > > > >          printcap name = /var/run/cups/printcap
> > > > > > > > >          load printers = yes
> > > > > > > > >
> > > > > > > > >          rpc_server:spoolss = external
> > > > > > > > >          rpc_daemon:spoolssd = fork
> > > > > > > > >
> > > > > > > > > [netlogon]
> > > > > > > > >          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
> > > > > > > > >          read only = no
> > > > > > > > >
> > > > > > > > > [sysvol]
> > > > > > > > >          path = /usr/local/samba/var/locks/sysvol
> > > > > > > > >          read only = no
> > > > > > > > >
> > > > > > > > > [printers]
> > > > > > > > >          path = /var/spool/samba
> > > > > > > > >          printable = yes
> > > > > > > > >          printing = CUPS
> > > > > > > > >
> > > > > > > > > [print$]
> > > > > > > > >          path = /srv/samba/Printer_drivers
> > > > > > > > >          comment = Printer Drivers
> > > > > > > > >          writeable = yes
> > > > > > > > >
> > > > > > > > > [homes]
> > > > > > > > >          read only = no
> > > > > > > > >
> > > > > > > > > ... all the network shares
> > > > > > > > >
> > > > > > > > > On kdc03 I'm also trying to get the print server but this will be
> > > > > > > > > another story I guess :)
> > > > > > > > >
> > > > > > > > > Daniele.
> > > > > > > > >
> > > > > > > > I cannot see any problem there, I have also done a dive into the samba 
> > > > > > > > archives and as far as I can see the idmap.ldb range has always started 
> > > > > > > > at 3000000, so where that '4' comes from I have no idea.
> > > > > > > > 
> > > > > > > > I think that somehow you need to get your first DC setup (idmap.ldb 
> > > > > > > > wise) like your second DC, run sysvolreset on your first DC, rsync 
> > > > > > > > sysvol to second DC and then sysvolreset your second DC.
> > > > > > > > 
> > > > > > > > Rowland
> > > > > > > > 
> > > > > > > 
> > > > > > > I tried to copy idmap.ldb from the second DC than after starting samba I
> > > > > > > performed a sysvolreset and now permissions seems to match.
> > > > > > > 
> > > > > > > I'll try to rsync sysvol now and see if sysvolcheck says that everything
> > > > > > > is ok.
> > > > > > > 
> > > > > > > The problem is that running a sysvolcheck tells me:
> > > > > > > 
> > > > > > > [root at kdc01:~]# samba-tool ntacl sysvolcheck
> > > > > > > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > > > > > > (16384)
> > > > > > > Processing section "[netlogon]"
> > > > > > > Processing section "[sysvol]"
> > > > > > > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > > > > > > ProvisioningError: DB ACL on GPO
> > > > > > > directory /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> > > > > > >   File
> > > > > > > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > > > > > > line 175, in _run
> > > > > > >     return self.run(*args, **kwargs)
> > > > > > >   File
> > > > > > > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > > > > > > line 249, in run
> > > > > > >     lp)
> > > > > > >   File
> > > > > > > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1695, in checksysvolacl
> > > > > > >     direct_db_access)
> > > > > > >   File
> > > > > > > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl
> > > > > > >     domainsid, direct_db_access)
> > > > > > >   File
> > > > > > > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in check_dir_acl
> > > > > > >     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> > > > > > > match expected value %s from GPO object' % (acl_type(direct_db_access),
> > > > > > > path, fsacl_sddl, acl))
> > > > > > > 
> > > > > > > The same happens on kdc03 even if I just performed a sysvolreset.
> > > > So sysvolreet has never worked on kdc03?
> > > 
> > > samba-tool ntacl sysvolreset on kdc03 (and also on kdc01) seems to work
> > > fine because it doesn't report any error.
> > > 
> > > Ownerships seems the same on both sysvol folders but if I run sysvolceck
> > > I get the error above.
> > > 
> > > Maybe the problem is that I still have clashes: I still have to update
> > > uidNumbers and gidNumbers of my users/groups over the idmap range.
> > > I'll get back after the change.
> > > 
> > > Daniele.
> > > 
> > > > > > > 
> > > > > > > The difference is on top: LAG vs DAG but I don't know what it means.
> > > > > > > 
> > > > > > > Daniele.
> > > > > > > 
> > > > > > did you rsync sysvol from dc03 before you ran the sysvolreset?
> > > > > > 
> > > > > 
> > > > > No. I synced fomr kdc01 to kdc03 when I joined kdc03 as DC to the
> > > > > domain. Than I made a sysvolreset on kdc03.
> > > > > Now I copied idmap from kdc03 to kdc01 and than made a sysvolreset on
> > > > > kdc01 to align ownerships.
> > > > > 
> > > > 
> > > > rsync from dc03 to dc01 and try again. Are you sure you rsync
> > > > recursively? Something like: -AXauzv
> > > >  
> > > > 
> > > 
> > > 
> > 
> > Ok, had some trouble but now I moved Domain Users, Domain Admins, Domain
> > Guests, Domain Computers, Guest, and all my own staff starting from
> > 4000001 so I would not have clashes.
> > 
> > Performing a sysvolreset it seems to work (even if I get a lot of idmap
> > range not specified for domain '*' during its execution) but I still see
> > that when I perform a sysvolcheck I get the error:
> > 
> > [root at kdc01:~]# samba-tool ntacl sysvolcheck
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384)
> > Processing section "[netlogon]"
> > Processing section "[sysvol]"
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: DB ACL on GPO
> > directory /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 249, in run
> >     lp)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1695, in checksysvolacl
> >     direct_db_access)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1646, in check_gpos_acl
> >     domainsid, direct_db_access)
> >   File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1593, in check_dir_acl
> >     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> > match expected value %s from GPO object' % (acl_type(direct_db_access),
> > path, fsacl_sddl, acl))
> > 
> > and this happens on all DCs (even after sysvolreset).
> > 
> > Daniele.
> > 
> 
> If the GPO isn't working, try a big hammer:
> samba-tool ntacl set
> 'O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)' /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> We are in the lab here, aren't we?
> 

The big hammer doesn't work :(

[root at kdc01:~]# samba-tool ntacl set
'O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)' /usr/local/samba/var/locks/sysvol/saitel.loc/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\} -d 10
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
Security token SIDs (1):
  SID[  0]: S-1-5-18
 Privileges (0xFFFFFFFFFFFFFFFF):
  Privilege[  0]: SeMachineAccountPrivilege
  Privilege[  1]: SeTakeOwnershipPrivilege
  Privilege[  2]: SeBackupPrivilege
  Privilege[  3]: SeRestorePrivilege
  Privilege[  4]: SeRemoteShutdownPrivilege
  Privilege[  5]: SePrintOperatorPrivilege
  Privilege[  6]: SeAddUsersPrivilege
  Privilege[  7]: SeDiskOperatorPrivilege
  Privilege[  8]: SeSecurityPrivilege
  Privilege[  9]: SeSystemtimePrivilege
  Privilege[ 10]: SeShutdownPrivilege
  Privilege[ 11]: SeDebugPrivilege
  Privilege[ 12]: SeSystemEnvironmentPrivilege
  Privilege[ 13]: SeSystemProfilePrivilege
  Privilege[ 14]: SeProfileSingleProcessPrivilege
  Privilege[ 15]: SeIncreaseBasePriorityPrivilege
  Privilege[ 16]: SeLoadDriverPrivilege
  Privilege[ 17]: SeCreatePagefilePrivilege
  Privilege[ 18]: SeIncreaseQuotaPrivilege
  Privilege[ 19]: SeChangeNotifyPrivilege
  Privilege[ 20]: SeUndockPrivilege
  Privilege[ 21]: SeManageVolumePrivilege
  Privilege[ 22]: SeImpersonatePrivilege
  Privilege[ 23]: SeCreateGlobalPrivilege
  Privilege[ 24]: SeEnableDelegationPrivilege
 Rights (0x               0):
lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[yes] updates allowed[no]
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = SAITEL
doing parameter realm = saitel.loc
doing parameter netbios name = KDC01
doing parameter server role = active directory domain controller
doing parameter dns forwarder = 8.8.8.8
doing parameter idmap_ldb:use rfc2307 = yes
doing parameter template shell = /bin/bash
doing parameter log file = /var/log/log.samba
doing parameter log level = 2
Processing section "[netlogon]"
Processing section "[sysvol]"
Module 'acl_xattr' loaded
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true'
and 'force unknown acl user = true' for service Unknown Service (snum ==
-1)
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'
idmap range not specified for domain '*'

I tried to increase the debug output but I'm not enough expert to see
anything but the message
idmap range not specified for domain '*' 

and the rows could seem suspicious

lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[yes] updates allowed[no]

To be honest, I'm not sure that this happened after the join of the
second DC. It would be possible that the error was already present
'cause I've never tried to run sysvolcheck against the DC in the past. I
just trusted in sysvolreset.

Any idea?
Daniele.



More information about the samba-technical mailing list