[Samba] BUILTIN not mapping on DC

Mon Apr 28 14:17:05 MDT 2014

On 28/04/14 19:46, Achim Gottinger wrote:
>
> Am 28.04.2014 20:29, schrieb steve:
>> On Mon, 2014-04-28 at 14:18 -0400, Ryan Bair wrote:
>>> I'm hoping to find another way to resolve the issue, but how did you 
>>> edit
>>> the uid and gids in idmap.ldb? According to `ldbsearch -H 
>>> ldaps://localhost
>>> cn=Account\ Operators` I already have a GID assigned.
>> Hi
>> DNs in idmap.ldb use the SID as the CN
>>
>> You already have the SID for the group you want from your search. Then:
>> ldbedit --url=/path/to/privat/idmap.ldb cn=your.SID
>> and replace the xidNumber attribute with the GID you have in the
>> directory. Or whatever other value you want.
>> HTH
>> Steve
>>
>>
> Steve kindly already explained how to edit idmal.
>
> If you only care about GPO acl's, you may replace the acl's 
> BUILTIN\Administrator with Domain-Admins and BUILTIN\Autheticated 
> Users with Domain-Users in the windows group policy editor and run 
> samba-tools ntacl sysvolreset afterwards. Or give everyone read access.
> On my side the problems arised becuase i use rsync to replicate sysvol 
> between ADDX's and since the BUILTIN users/groups are ignored on the 
> unix side (not showing up in getent passwd/group)
> the uid's gid's are used when replicating. Since those are dynamical 
> assigned different on each ADDCi get read erros on my windows clients 
> trying to get the gpo's from ADDC other that the source addc i used 
> for replication.
> Easiest for me was to copy idmap.ldb from my source ADDC to the target 
> addc's directly after joining to the domain.
> An proper solution would be using the RID idmap backend for BUILTIN 
> but i did not get that working.

I do not think that your problem is with id-mapping, if I run the 
commands that the OP ran, I get the exact same answers.

If I run 'getfacl /var/lib/samba/sysvol/example.com' on one of my DC's I 
get this:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/example.com
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

if I run the same command on my second DC, I get this:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/example.com
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000012:r-x
user:3000022:r-x
user:3000023:rwx
group::rwx
group:3000000:rwx
group:3000012:r-x
group:3000022:r-x
group:3000023:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000012:r-x
default:user:3000022:r-x
default:user:3000023:rwx
default:group::---
default:group:3000000:rwx
default:group:3000012:r-x
default:group:3000022:r-x
default:group:3000023:rwx
default:mask::rwx
default:other::---

Now on the face of it, they are different, but if I open idmap.ldb with 
ldbedit on the first DC and search for the numbers, we find this:

3000000 ---> CN=S-1-5-32-544
3000001 ---> CN=S-1-5-32-549
3000002 ---> CN=S-1-5-18
3000003 ---> CN=S-1-5-11

now open idmap.ldb on the second DC and carry out the search with the 
second set of numbers:

3000000 ---> CN=S-1-5-32-544
3000012 ---> CN=S-1-5-11
3000022 ---> CN=S-1-5-32-549
3000023 ---> CN=S-1-5-18

and a bit more searching finds out that:

CN=S-1-5-32-544 ---> Administrators
CN=S-1-5-32-549 ---> Server Operators
CN=S-1-5-18 ---> Local System
CN=S-1-5-11 ---> Authenticated Users

So your builtin groups should be getting mapped via their xidNumbers.

As for the builtin users not showing up in getent passwd, only users 
that have a uidNumber & gidNumber will be shown.

Rowland