[Samba] BUILTIN not mapping on DC

steve steve at steve-ss.com
Mon Apr 28 14:38:19 MDT 2014 

On Mon, 2014-04-28 at 21:17 +0100, Rowland Penny wrote:
> On 28/04/14 19:46, Achim Gottinger wrote:
> >
> > Am 28.04.2014 20:29, schrieb steve:
> >> On Mon, 2014-04-28 at 14:18 -0400, Ryan Bair wrote:
> >>> I'm hoping to find another way to resolve the issue, but how did you 
> >>> edit
> >>> the uid and gids in idmap.ldb? According to `ldbsearch -H 
> >>> ldaps://localhost
> >>> cn=Account\ Operators` I already have a GID assigned.
> >> Hi
> >> DNs in idmap.ldb use the SID as the CN
> >>
> >> You already have the SID for the group you want from your search. Then:
> >> ldbedit --url=/path/to/privat/idmap.ldb cn=your.SID
> >> and replace the xidNumber attribute with the GID you have in the
> >> directory. Or whatever other value you want.
> >> HTH
> >> Steve
> >>
> >>
> > Steve kindly already explained how to edit idmal.
> >
> > If you only care about GPO acl's, you may replace the acl's 
> > BUILTIN\Administrator with Domain-Admins and BUILTIN\Autheticated 
> > Users with Domain-Users in the windows group policy editor and run 
> > samba-tools ntacl sysvolreset afterwards. Or give everyone read access.
> > On my side the problems arised becuase i use rsync to replicate sysvol 
> > between ADDX's and since the BUILTIN users/groups are ignored on the 
> > unix side (not showing up in getent passwd/group)
> > the uid's gid's are used when replicating. Since those are dynamical 
> > assigned different on each ADDCi get read erros on my windows clients 
> > trying to get the gpo's from ADDC other that the source addc i used 
> > for replication.
> > Easiest for me was to copy idmap.ldb from my source ADDC to the target 
> > addc's directly after joining to the domain.
> > An proper solution would be using the RID idmap backend for BUILTIN 
> > but i did not get that working.
> 
> I do not think that your problem is with id-mapping, if I run the 
> commands that the OP ran, I get the exact same answers.
> 
> If I run 'getfacl /var/lib/samba/sysvol/example.com' on one of my DC's I 
> get this:
> 
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/example.com
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> if I run the same command on my second DC, I get this:
> 
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/example.com
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000012:r-x
> user:3000022:r-x
> user:3000023:rwx
> group::rwx
> group:3000000:rwx
> group:3000012:r-x
> group:3000022:r-x
> group:3000023:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000012:r-x
> default:user:3000022:r-x
> default:user:3000023:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000012:r-x
> default:group:3000022:r-x
> default:group:3000023:rwx
> default:mask::rwx
> default:other::---
> 
> Now on the face of it, they are different, but if I open idmap.ldb with 
> ldbedit on the first DC and search for the numbers, we find this:
> 
> 3000000 ---> CN=S-1-5-32-544
> 3000001 ---> CN=S-1-5-32-549
> 3000002 ---> CN=S-1-5-18
> 3000003 ---> CN=S-1-5-11
> 
> now open idmap.ldb on the second DC and carry out the search with the 
> second set of numbers:
> 
> 3000000 ---> CN=S-1-5-32-544
> 3000012 ---> CN=S-1-5-11
> 3000022 ---> CN=S-1-5-32-549
> 3000023 ---> CN=S-1-5-18
> 
> and a bit more searching finds out that:
> 
> CN=S-1-5-32-544 ---> Administrators
> CN=S-1-5-32-549 ---> Server Operators
> CN=S-1-5-18 ---> Local System
> CN=S-1-5-11 ---> Authenticated Users
> 
> So your builtin groups should be getting mapped via their xidNumbers.
> 
> As for the builtin users not showing up in getent passwd, only users 
> that have a uidNumber & gidNumber will be shown.

...and you can't add a uidNumber to, e.g. BUILTIN\Administrators:(
Steve

More information about the samba mailing list