[Samba] Issues on Samba4 AD DC GPO's with Sites and Winbind

Achim Gottinger achim at ag-web.biz
Wed Dec 4 07:28:27 MST 2013

Am 29.11.2013 02:24, schrieb Achim Gottinger:
> Am 28.11.2013 22:00, schrieb Achim Gottinger:
>> Hello Samba-List,
>> Recently I ran into a few access rights problems with GPO's.
>> I have an test environment running with four samba4 AD DC's (sernet 
>> 4.1.2/debian wheezy). Used the Script's from the samba wiki for 
>> sysvol replication. The AD Database is comming from an classic 
>> upgrade and i have "idmap_ldb:use rfc2307 = yes" in my smb.conf.
>> Some groups like for example "Domain Guests" did not exist in my old 
>> db so they got there uid from winbind. Same goes for the internal 
>> groups like "Autheticated Users".
>> The assigned UID's from winbind differ between the four servers.
>> On the main site GPO's applied just fine an test on an client with 
>> "gpupdate /force" reported no errors. However on the other sites the 
>> GPO's did not apply and gpupdate /force mentioned no read access to 
>> \\domain.local\sysvol\domain.local\{GUID}\gpt.ini. The mentioned 
>> files where perfectly accessible via the explorer.
>> I compared the acl's on the servers and they showed identical gid's 
>> on the servers, however the gid 3000003, which was assigned to 
>> "Autheticated Users" on the main server was assigend to "Domain 
>> Guests" on an site server. Looking into idmap.ldb on that server i 
>> found "Autheticated Users" S-1-5-11 used 3000011 on that server.
>> I stopped samba on the server took an vm snapshot copied idmap.ldb 
>> from the main server (restarted unscd), started samba again and now 
>> the GPO's applied just fine.
>> The "Autheticated Users" group can be found in Active Directory Users 
>> and Groups in the ForeignSecurityPrincipals section but assigning 
>> UNIX attributes (gid's) does not work here.
>> So having identical mappings in idmap.ldb for all the internal groups 
>> in ForeignSecurityPrincipals seems to be mandatory for proper working 
>> GPO's. Guess sssd would not help here.
>> achim~
> As an follow up, i tested it on the other two site's servers and as 
> soon as i copied the idmap.ldb from the main server the GPO's worked 
> without issues. I had also tested running
> samba-tool ntacl sysvolreset on the site's server before but that did 
> not work it applied the same uid's and gid's as on the main server and 
> not the ones used in the local idmap.ldb.
> For the GPO's with standard rights atleast these SID should have 
> identical idmap.ldb entries:
> S-1-5-18 Local system
> S-1-5-11 Authenticated Users
> S-1-5-9   Enterprise Domain Controllers
> And also these which can be handles via gidNumebr
> S-1-5-21-[DOMAIN PART]-519 [DOMAIN]\Enterprise Admins
> S-1-5-21-[DOMAIN PART]-512 [DOMAIN]\Domain Admins
> Wouldn't it make sense to precreate mappings for all the well known 
> windows sid's? http://support.microsoft.com/kb/243330/en-us
> achim~
Finaly applying this Hotfix to XP clients fixed a few remaining issues 
with some GPO's not beeing applied correct


More information about the samba mailing list