[Samba] BUILTIN not mapping on DC

steve steve at steve-ss.com
Tue Apr 29 03:24:00 MDT 2014


On Tue, 2014-04-29 at 09:50 +0100, Rowland Penny wrote:
> On 29/04/14 00:32, Achim Gottinger wrote:
> > Am 29.04.2014 01:13, schrieb steve:
> >> On Tue, 2014-04-29 at 00:54 +0200, Achim Gottinger wrote:
> >>> Am 29.04.2014 00:30, schrieb steve:
> >>>> On Mon, 2014-04-28 at 22:39 +0100, Rowland Penny wrote:
> >>>>
> >>>>>>> 3000000 ---> CN=S-1-5-32-544
> >>>>>>> 3000001 ---> CN=S-1-5-32-549
> >>>>>>> 3000002 ---> CN=S-1-5-18
> >>>>>>> 3000003 ---> CN=S-1-5-11
> >>>>>>>
> >>>>>>> now open idmap.ldb on the second DC and carry out the search 
> >>>>>>> with the
> >>>>>>> second set of numbers:
> >>>>>>>
> >>>>>>> 3000000 ---> CN=S-1-5-32-544
> >>>>>>> 3000012 ---> CN=S-1-5-11
> >>>>>>> 3000022 ---> CN=S-1-5-32-549
> >>>>>>> 3000023 ---> CN=S-1-5-18
> >>>>>>>
> >>>>>>> and a bit more searching finds out that:
> >>>>>>>
> >>>>>>> CN=S-1-5-32-544 ---> Administrators
> >>>>>>> CN=S-1-5-32-549 ---> Server Operators
> >>>>>>> CN=S-1-5-18 ---> Local System
> >>>>>>> CN=S-1-5-11 ---> Authenticated Users
> >>>>>>>
> >>>> It's unfortunate that we can't use AD for rfc2307 for these objects as
> >>>> we can with domain equivalents. I think the OP wants consistent values
> >>>> across DC's without having to run sysvol reset after syncing, in which
> >>>> case his copying idmap.ldb to the other DC method from the master 
> >>>> seems
> >>>> like the only way to do it.
> >>>>
> >>>> Have we got that right? This thread is aiming at:
> >>>>
> >>>>>>> 3000000 ---> CN=S-1-5-32-544
> >>>>>>> 3000001 ---> CN=S-1-5-32-549
> >>>>>>> 3000002 ---> CN=S-1-5-18
> >>>>>>> 3000003 ---> CN=S-1-5-11
> >>>> for all DCs?
> >>>> Cheers,
> >>>> Steve
> >>> The OP has found that BUILTIN groups do not resolve on the unix side at
> >>> his ADDC. If they'd resolve using rsync -A would work with different
> >>> idmap.ldb mappings because rsync and for example nfs3 would be able to
> >>> do uid(source)->name(source)->name(target)->uid(target) mappings for
> >>> copy operations. Without an proper uid->name mapping the uid's are used
> >>> unodified.
> >>> Having identical mappings on all dc's is an workaround for the not
> >>> resolving issue.
> >>>
> >> OK. So we want identical uid mappings on all DCs for e.g. users, but not
> >> for BUILTIN\x ??
> >>
> > If the idmap_autorid backend would work for BUILTIN we'd get identical 
> > mappings.
> >
> OK, I can now see the problem and agree that if you rsync sysvol to 
> another DC, you do indeed get the same xidNumbers as on the original DC, 
> these xidNumbers will probably not map the same on the client DC. The 
> workround is probably to run 'samba-tool ntacl sysvolreset' after rsync.
> 
> There is a thread on samba-technical about idmap_autorid at the moment, 
> Jeremy Allinson has proposed hardcoding the mappings for the well known 
> SID's, I think that this is what is needed here.

Hi
The problem could also be solved if the schema allowed uidNumber
attributes for BUILTIN objects.



More information about the samba mailing list