[Samba] Issues on Samba4 AD DC GPO's with Sites and Winbind

Achim Gottinger achim at ag-web.biz
Thu Nov 28 18:24:41 MST 2013

Am 28.11.2013 22:00, schrieb Achim Gottinger:
> Hello Samba-List,
> Recently I ran into a few access rights problems with GPO's.
> I have an test environment running with four samba4 AD DC's (sernet 
> 4.1.2/debian wheezy). Used the Script's from the samba wiki for sysvol 
> replication. The AD Database is comming from an classic upgrade and i 
> have "idmap_ldb:use rfc2307 = yes" in my smb.conf.
> Some groups like for example "Domain Guests" did not exist in my old 
> db so they got there uid from winbind. Same goes for the internal 
> groups like "Autheticated Users".
> The assigned UID's from winbind differ between the four servers.
> On the main site GPO's applied just fine an test on an client with 
> "gpupdate /force" reported no errors. However on the other sites the 
> GPO's did not apply and gpupdate /force mentioned no read access to 
> \\domain.local\sysvol\domain.local\{GUID}\gpt.ini. The mentioned files 
> where perfectly accessible via the explorer.
> I compared the acl's on the servers and they showed identical gid's on 
> the servers, however the gid 3000003, which was assigned to 
> "Autheticated Users" on the main server was assigend to "Domain 
> Guests" on an site server. Looking into idmap.ldb on that server i 
> found "Autheticated Users" S-1-5-11 used 3000011 on that server.
> I stopped samba on the server took an vm snapshot copied idmap.ldb 
> from the main server (restarted unscd), started samba again and now 
> the GPO's applied just fine.
> The "Autheticated Users" group can be found in Active Directory Users 
> and Groups in the ForeignSecurityPrincipals section but assigning UNIX 
> attributes (gid's) does not work here.
> So having identical mappings in idmap.ldb for all the internal groups 
> in ForeignSecurityPrincipals seems to be mandatory for proper working 
> GPO's. Guess sssd would not help here.
> achim~
As an follow up, i tested it on the other two site's servers and as soon 
as i copied the idmap.ldb from the main server the GPO's worked without 
issues. I had also tested running
samba-tool ntacl sysvolreset on the site's server before but that did 
not work it applied the same uid's and gid's as on the main server and 
not the ones used in the local idmap.ldb.

For the GPO's with standard rights atleast these SID should have 
identical idmap.ldb entries:

S-1-5-18 Local system
S-1-5-11 Authenticated Users
S-1-5-9   Enterprise Domain Controllers

And also these which can be handles via gidNumebr

S-1-5-21-[DOMAIN PART]-519 [DOMAIN]\Enterprise Admins
S-1-5-21-[DOMAIN PART]-512 [DOMAIN]\Domain Admins

Wouldn't it make sense to precreate mappings for all the well known 
windows sid's? http://support.microsoft.com/kb/243330/en-us


More information about the samba mailing list