[Samba] Issues on Samba4 AD DC GPO's with Sites and Winbind

Achim Gottinger achim at ag-web.biz
Thu Nov 28 14:00:38 MST 2013

Hello Samba-List,

Recently I ran into a few access rights problems with GPO's.
I have an test environment running with four samba4 AD DC's (sernet 
4.1.2/debian wheezy). Used the Script's from the samba wiki for sysvol 
replication. The AD Database is comming from an classic upgrade and i 
have "idmap_ldb:use rfc2307 = yes" in my smb.conf.
Some groups like for example "Domain Guests" did not exist in my old db 
so they got there uid from winbind. Same goes for the internal groups 
like "Autheticated Users".
The assigned UID's from winbind differ between the four servers.
On the main site GPO's applied just fine an test on an client with 
"gpupdate /force" reported no errors. However on the other sites the 
GPO's did not apply and gpupdate /force mentioned no read access to 
\\domain.local\sysvol\domain.local\{GUID}\gpt.ini. The mentioned files 
where perfectly accessible via the explorer.
I compared the acl's on the servers and they showed identical gid's on 
the servers, however the gid 3000003, which was assigned to 
"Autheticated Users" on the main server was assigend to "Domain Guests" 
on an site server. Looking into idmap.ldb on that server i found 
"Autheticated Users" S-1-5-11 used 3000011 on that server.
I stopped samba on the server took an vm snapshot copied idmap.ldb from 
the main server (restarted unscd), started samba again and now the GPO's 
applied just fine.
The "Autheticated Users" group can be found in Active Directory Users 
and Groups in the ForeignSecurityPrincipals section but assigning UNIX 
attributes (gid's) does not work here.
So having identical mappings in idmap.ldb for all the internal groups in 
ForeignSecurityPrincipals seems to be mandatory for proper working 
GPO's. Guess sssd would not help here.


More information about the samba mailing list