[Samba] Issues on Samba4 AD DC GPO's with Sites and Winbind
Achim Gottinger
achim at ag-web.biz
Thu Nov 28 14:00:38 MST 2013
Hello Samba-List,
Recently I ran into a few access rights problems with GPO's.
I have an test environment running with four samba4 AD DC's (sernet
4.1.2/debian wheezy). Used the Script's from the samba wiki for sysvol
replication. The AD Database is comming from an classic upgrade and i
have "idmap_ldb:use rfc2307 = yes" in my smb.conf.
Some groups like for example "Domain Guests" did not exist in my old db
so they got there uid from winbind. Same goes for the internal groups
like "Autheticated Users".
The assigned UID's from winbind differ between the four servers.
On the main site GPO's applied just fine an test on an client with
"gpupdate /force" reported no errors. However on the other sites the
GPO's did not apply and gpupdate /force mentioned no read access to
\\domain.local\sysvol\domain.local\{GUID}\gpt.ini. The mentioned files
where perfectly accessible via the explorer.
I compared the acl's on the servers and they showed identical gid's on
the servers, however the gid 3000003, which was assigned to
"Autheticated Users" on the main server was assigend to "Domain Guests"
on an site server. Looking into idmap.ldb on that server i found
"Autheticated Users" S-1-5-11 used 3000011 on that server.
I stopped samba on the server took an vm snapshot copied idmap.ldb from
the main server (restarted unscd), started samba again and now the GPO's
applied just fine.
The "Autheticated Users" group can be found in Active Directory Users
and Groups in the ForeignSecurityPrincipals section but assigning UNIX
attributes (gid's) does not work here.
So having identical mappings in idmap.ldb for all the internal groups in
ForeignSecurityPrincipals seems to be mandatory for proper working
GPO's. Guess sssd would not help here.
achim~
More information about the samba
mailing list