[Samba] BUILTIN not mapping on DC

[Rowland Penny]

On 28/04/14 22:23, Achim Gottinger wrote:
> Am 28.04.2014 22:17, schrieb Rowland Penny:
>> On 28/04/14 19:46, Achim Gottinger wrote:
>>>
>>> Am 28.04.2014 20:29, schrieb steve:
>>>> On Mon, 2014-04-28 at 14:18 -0400, Ryan Bair wrote:
>>>>> I'm hoping to find another way to resolve the issue, but how did 
>>>>> you edit
>>>>> the uid and gids in idmap.ldb? According to `ldbsearch -H 
>>>>> ldaps://localhost
>>>>> cn=Account\ Operators` I already have a GID assigned.
>>>> Hi
>>>> DNs in idmap.ldb use the SID as the CN
>>>>
>>>> You already have the SID for the group you want from your search. 
>>>> Then:
>>>> ldbedit --url=/path/to/privat/idmap.ldb cn=your.SID
>>>> and replace the xidNumber attribute with the GID you have in the
>>>> directory. Or whatever other value you want.
>>>> HTH
>>>> Steve
>>>>
>>>>
>>> Steve kindly already explained how to edit idmal.
>>>
>>> If you only care about GPO acl's, you may replace the acl's 
>>> BUILTIN\Administrator with Domain-Admins and BUILTIN\Autheticated 
>>> Users with Domain-Users in the windows group policy editor and run 
>>> samba-tools ntacl sysvolreset afterwards. Or give everyone read access.
>>> On my side the problems arised becuase i use rsync to replicate 
>>> sysvol between ADDX's and since the BUILTIN users/groups are ignored 
>>> on the unix side (not showing up in getent passwd/group)
>>> the uid's gid's are used when replicating. Since those are dynamical 
>>> assigned different on each ADDCi get read erros on my windows 
>>> clients trying to get the gpo's from ADDC other that the source addc 
>>> i used for replication.
>>> Easiest for me was to copy idmap.ldb from my source ADDC to the 
>>> target addc's directly after joining to the domain.
>>> An proper solution would be using the RID idmap backend for BUILTIN 
>>> but i did not get that working.
>>
>> I do not think that your problem is with id-mapping, if I run the 
>> commands that the OP ran, I get the exact same answers.
>>
>> If I run 'getfacl /var/lib/samba/sysvol/example.com' on one of my 
>> DC's I get this:
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/example.com
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> user:3000000:rwx
>> user:3000001:r-x
>> user:3000002:rwx
>> user:3000003:r-x
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx
>> default:user:3000001:r-x
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> if I run the same command on my second DC, I get this:
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/example.com
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> user:3000000:rwx
>> user:3000012:r-x
>> user:3000022:r-x
>> user:3000023:rwx
>> group::rwx
>> group:3000000:rwx
>> group:3000012:r-x
>> group:3000022:r-x
>> group:3000023:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:3000000:rwx
>> default:user:3000012:r-x
>> default:user:3000022:r-x
>> default:user:3000023:rwx
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000012:r-x
>> default:group:3000022:r-x
>> default:group:3000023:rwx
>> default:mask::rwx
>> default:other::---
>>
>> Now on the face of it, they are different, but if I open idmap.ldb 
>> with ldbedit on the first DC and search for the numbers, we find this:
>>
>> 3000000 ---> CN=S-1-5-32-544
>> 3000001 ---> CN=S-1-5-32-549
>> 3000002 ---> CN=S-1-5-18
>> 3000003 ---> CN=S-1-5-11
>>
>> now open idmap.ldb on the second DC and carry out the search with the 
>> second set of numbers:
>>
>> 3000000 ---> CN=S-1-5-32-544
>> 3000012 ---> CN=S-1-5-11
>> 3000022 ---> CN=S-1-5-32-549
>> 3000023 ---> CN=S-1-5-18
>>
>> and a bit more searching finds out that:
>>
>> CN=S-1-5-32-544 ---> Administrators
>> CN=S-1-5-32-549 ---> Server Operators
>> CN=S-1-5-18 ---> Local System
>> CN=S-1-5-11 ---> Authenticated Users
>>
>> So your builtin groups should be getting mapped via their xidNumbers.
>>
>> As for the builtin users not showing up in getent passwd, only users 
>> that have a uidNumber & gidNumber will be shown.
>>
>> Rowland
> If i rsync the sysvol folder manual with -XAavz i get identical gid's 
> on the target machine. These flags are the ones recommended here 
> https://wiki.samba.org/index.php/SysVol_Replication.
> Does your script involve additional logic mapping the gid's?

Ah well, I am trying to write a script around cysnc2, so did not use 
rsync, but the -A option to rsync should copy the ACL's, which would be 
based on the windows groups, so I do not understand you saying that you 
got identical gid's on the target machine, care to elaborate ?

>
> How can rsync map gid(source) -> sid -> gid(target) if the gid's no 
> not resolve on a filesystem level?

Because that is what idmap.ldb is for (amongst other things)

>
> On a sidenote , getent passwd lists users here which got ther uid's 
> assigned via winbind without having an uidNumber in the corresponding 
> ldap entry.
>

In which case you are probably using the rid backend, you would be 
better of using uidNumber's, gidNumber's and the ad backend.

Rowland