[Samba] Issues on Samba4 AD DC GPO's with Sites and Winbind

Achim Gottinger achim at ag-web.biz
Fri Aug 22 19:25:28 MDT 2014

Am 04.12.2013 15:28, schrieb Achim Gottinger:
> Am 29.11.2013 02:24, schrieb Achim Gottinger:
>> Am 28.11.2013 22:00, schrieb Achim Gottinger:
>>> Hello Samba-List,
>>> Recently I ran into a few access rights problems with GPO's.
>>> I have an test environment running with four samba4 AD DC's (sernet 
>>> 4.1.2/debian wheezy). Used the Script's from the samba wiki for 
>>> sysvol replication. The AD Database is comming from an classic 
>>> upgrade and i have "idmap_ldb:use rfc2307 = yes" in my smb.conf.
>>> Some groups like for example "Domain Guests" did not exist in my old 
>>> db so they got there uid from winbind. Same goes for the internal 
>>> groups like "Autheticated Users".
>>> The assigned UID's from winbind differ between the four servers.
>>> On the main site GPO's applied just fine an test on an client with 
>>> "gpupdate /force" reported no errors. However on the other sites the 
>>> GPO's did not apply and gpupdate /force mentioned no read access to 
>>> \\domain.local\sysvol\domain.local\{GUID}\gpt.ini. The mentioned 
>>> files where perfectly accessible via the explorer.
>>> I compared the acl's on the servers and they showed identical gid's 
>>> on the servers, however the gid 3000003, which was assigned to 
>>> "Autheticated Users" on the main server was assigend to "Domain 
>>> Guests" on an site server. Looking into idmap.ldb on that server i 
>>> found "Autheticated Users" S-1-5-11 used 3000011 on that server.
>>> I stopped samba on the server took an vm snapshot copied idmap.ldb 
>>> from the main server (restarted unscd), started samba again and now 
>>> the GPO's applied just fine.
>>> The "Autheticated Users" group can be found in Active Directory 
>>> Users and Groups in the ForeignSecurityPrincipals section but 
>>> assigning UNIX attributes (gid's) does not work here.
>>> So having identical mappings in idmap.ldb for all the internal 
>>> groups in ForeignSecurityPrincipals seems to be mandatory for proper 
>>> working GPO's. Guess sssd would not help here.
>>> achim~
>> As an follow up, i tested it on the other two site's servers and as 
>> soon as i copied the idmap.ldb from the main server the GPO's worked 
>> without issues. I had also tested running
>> samba-tool ntacl sysvolreset on the site's server before but that did 
>> not work it applied the same uid's and gid's as on the main server 
>> and not the ones used in the local idmap.ldb.
>> For the GPO's with standard rights atleast these SID should have 
>> identical idmap.ldb entries:
>> S-1-5-18 Local system
>> S-1-5-11 Authenticated Users
>> S-1-5-9   Enterprise Domain Controllers
>> And also these which can be handles via gidNumebr
>> S-1-5-21-[DOMAIN PART]-519 [DOMAIN]\Enterprise Admins
>> S-1-5-21-[DOMAIN PART]-512 [DOMAIN]\Domain Admins
>> Wouldn't it make sense to precreate mappings for all the well known 
>> windows sid's? http://support.microsoft.com/kb/243330/en-us
>> achim~
> Finaly applying this Hotfix to XP clients fixed a few remaining issues 
> with some GPO's not beeing applied correct
> http://www.microsoft.com/en-us/download/details.aspx?id=3628
Because this issue just popped up today i tested to run samba-tool ntacl 
sysvolreset in an test environment with two addc's (4.1.11) and 
idmap.ldb's with different mappings. This time at the second site the 
correct mapping from the local idmap.ldb where applied and not the ones 
from the first site like it was the case at this test with version 
4.1.2. Was an odd find in the first place and can be considered closed.

More information about the samba mailing list