[Samba] Proper sysvol replication solution...

Rowland Penny rowlandpenny at googlemail.com
Sat Aug 23 06:59:48 MDT 2014

On 23/08/14 13:41, Achim Gottinger wrote:
> Am 23.08.2014 09:18, schrieb steve:
>> On Sat, 2014-08-23 at 01:37 +0200, Achim Gottinger wrote:
>>> Am 23.08.2014 00:40, schrieb steve:
>>> Rowland
>>>>> Well you talked about well known rid's earlier. The well known 
>>>>> sid's are
>>>>> the same on all domains, rid's are always prefixed with the domain 
>>>>> sid.
>>>>> To prove myself wrong, these do resolve well and cause no problems.
>>>>> As for the sid's (builtin/security) the only problem on the linux 
>>>>> side
>>>>> is that they do not resolve at all to an gid. It is not necessary 
>>>>> that
>>>>> they resolve to the same gid on every machine, they just must 
>>>>> resolve to
>>>>> an number.
>>>> No. They must resolve to the same number. If it's 3000000 on DC1 
>>>> and you
>>>> rsync it across to DC2 where the same group is mapped to 3000001, 
>>>> it is
>>>> a mess. Your GPOs will fail.
>>> If an group resolves to 3000000 on DC1 and to 3000001 on DC2 and you 
>>> use
>>> -o -g during rsync. an file owned by
>>> 3000000 will be owned by 3000001 after it got rsynced from dc1 to dc2.
>>> The gpo will continue to work.
>> But wouldn't it make it so much more user friendly if we didn't need to
>> remember all this stuff? 3000000 on DC1 is 3000000 on DC2?
> I assume in 4.2 we can use the idmap_rid for BUILTIN and NT AUTHORITY 
> groups and this way archive identical id's on all samba servers.

This is what I am hoping will happen.

> Otherwise you'd have to store the id's somewhere in active directory 
> and become incompatible with windows.
>>>>>    If an group resolves to different gid's at two systems rsync
>>>>> will take care of the number replacement if not the gid will be 
>>>>> the same.
>>>> rsync cannot map builtins because they are not available via nss!
>>> That is what i mean by they do not resolve.
>> OK. ATM they 'resolve' by maintaining a separate database containing
>> their sid and an id. All we're asking, is make that db contain the same
>> SIDs and ids on all DCs. Oh, and don't put any domain users in the same
>> database, because they too have their ids pulled from there if we do not
>> specify rfc2307. Maybe the new DC winbind will sort this out;)
> The mappings for BUILTIN and other local groups/users from idmap.ldb 
> is only used inside samba. nss_winbind only shows the domain 
> user/group mappings eighter pulled from active directory or idmap.ldb 
> depending on the rfc2307 settings. :-)

The BUILTIN mappings need to able to be used by Unix, so that getfacl 
gets easier to use, this would then allow the creation of shares to be 
all done on the S4 AD DC without having to recourse to using ADUC etc to 
set the required permissions.

>>>>> achim~

More information about the samba mailing list