[Samba] posix gid mapping of built-in groups

Henrik Langos hlangos-samba at innominate.com
Mon Jun 23 06:30:44 MDT 2014 

Here's a little example for what happens:

On DC1 (without "group winbind" in /etc/nsswitch.conf):

root at DC1:~# getfacl 
/var/lib/samba/sysvol/ads.example.local/Policies/\{294045CD-868A-4662-8339-0692047A7502\}/
getfacl: Removing leading '/' from absolute path names
# file: 
var/lib/samba/sysvol/ads.example.local/Policies/{294045CD-868A-4662-8339-0692047A7502}/
# owner: 3000008
# group: 3000008
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000008:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---


On DC2 (with "group winbind" in nsswitch.conf):

root at DC2:~# getfacl 
/var/lib/samba/sysvol/ads.example.local/Policies/\{294045CD-868A-4662-8339-0692047A7502\}/
getfacl: Removing leading '/' from absolute path names
# file: 
var/lib/samba/sysvol/ads.example.local/Policies/{294045CD-868A-4662-8339-0692047A7502}/
# owner: 3000008
# group: 3000008
user::rwx
user:EXAMPLE+Guest:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:EXAMPLE+Domain\040Guests:r-x
group:3000006:rwx
group:3000008:rwx
group:EXAMPLE+Domain\040Admins:r-x
mask::rwx
other::---
default:user::rwx
default:user:EXAMPLE+Guest:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:EXAMPLE+Domain\040Guests:r-x
default:group:3000006:rwx
default:group:3000008:rwx
default:group:EXAMPLE+Domain\040Admins:r-x
default:mask::rwx
default:other::---

Now if I enable "group winbind" on DC1 I get:

root at DC1:~# getfacl 
/var/lib/samba/sysvol/ads.example.local/Policies/\{294045CD-868A-4662-8339-0692047A7502\}/
getfacl: Removing leading '/' from absolute path names
# file: 
var/lib/samba/sysvol/ads.example.local/Policies/{294045CD-868A-4662-8339-0692047A7502}/
# owner: 3000008
# group: EXAMPLE+Domain\040Admins
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:EXAMPLE+Enterprise\040Admins:rwx
group:EXAMPLE+Domain\040Admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000008:rwx
default:user:3000010:r-x
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:EXAMPLE+Enterprise\040Admins:rwx
default:group:EXAMPLE+Domain\040Admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---


You see, "Domain Admins" have rwx on DC1 while on DC2 they only have r-x 
due to a different mapping.
No wonder rsync balks if I enable winbind on DC1. It has conflicting 
settings due to different gidnumber<->AD group mappings.
I suspect that in the current situation DC2 would not even work as GPO 
provider if DC1 went down.

Even worse. The uid number3000002 from DC1 get mapped to "EAMPLE+Guest" 
on DC2!
If Guest had a shell login on DC1 he could mess with my group policies !

All because the built-in groups are mapped to different numbers on 
different DCs.

I guess there should be a big warning on the SysVol_Replication article 
in the wiki to only enable the rsync replication if all groups/users 
involved are mapped to stable uid/gid numbers. Or am I paranoid? (Or 
plain stupid?) I wouldn't rule that out in the least ;-)

Cheers
-henrik


For reference here's what "getent group" shows:

DC1
...
EXAMPLE+Enterprise Read-Only Domain Controllers:*:3000031:
EXAMPLE+Domain Admins:*:3000008:
EXAMPLE+Domain Users:*:10001:
EXAMPLE+Domain Guests:*:3000012:
EXAMPLE+Domain Computers:*:3000018:
EXAMPLE+Domain Controllers:*:3000023:
EXAMPLE+Schema Admins:*:3000007:
EXAMPLE+Enterprise Admins:*:3000006:
EXAMPLE+Group Policy Creator Owners:*:3000004:
EXAMPLE+Read-Only Domain Controllers:*:3000032:
EXAMPLE+DnsUpdateProxy:*:3000033:

DC2
...
EXAMPLE+Enterprise Read-Only Domain Controllers:*:3000009:
EXAMPLE+Domain Admins:*:3000010:
EXAMPLE+Domain Users:*:10001:
EXAMPLE+Domain Guests:*:3000003:
EXAMPLE+Domain Computers:*:3000011:
EXAMPLE+Domain Controllers:*:3000012:
EXAMPLE+Schema Admins:*:3000013:
EXAMPLE+Enterprise Admins:*:3000014:
EXAMPLE+Group Policy Creator Owners:*:3000015:
EXAMPLE+Read-Only Domain Controllers:*:3000016:
EXAMPLE+DnsUpdateProxy:*:3000017:


On 06/23/14 13:32, Henrik Langos wrote:
> Hi Louis,
>
> Thank you for the link. I've seen your scripts before and it was on my 
> todo list to check it out and maybe even update the wiki
> with a reference to it: 
> https://wiki.samba.org/index.php/SysVol_Replication
>
> However, my problem arises from not having Windows AD groups mapped to 
> the same posix uidnumber on all AD DCs, not from having changes made 
> on different DCs.
>
> Is there a down side to providing posix gid numbers to all AD built-in 
> groups?
> Does anybody have experience with that approach?
>
> cheers
> -henrik
>
>
> On 06/20/14 09:58, L.P.H. van Belle wrote:
>> Hai,
>>
>> I suggest try my script or if you not on ubuntu/debian read the 
>> script and adapt it to your os.
>> Maybe this works for you with the winbind setup, i dont know but you 
>> can try it.
>> Im using this now for about 1 month without problems, and i can 
>> change GPO settings on any DC now.
>>
>> https://secure.bazuin.nl/scripts/3-setup-sysvol-bidirectional.sh
>>
>>
>> Best regards,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: hlangos-samba at innominate.com
>>> [mailto:samba-bounces at lists.samba.org] Namens Henrik Langos
>>> Verzonden: vrijdag 20 juni 2014 9:52
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] sysvol replication and posix uid / gid mapping
>>>
>>> Hi,
>>>
>>> I just found out the hard way that sysvol replication with
>>> rsync stoped
>>> working when I activated winbind (libnss-winbind actually) on
>>> my primary
>>> AD DC.
>>>
>>> Originally I hadn't planed to activate winbind on the primary AD DC
>>> since that machine was not meant to provide any shares.
>>> What I hadn't thought of was the fact that GPOs reside as files on the
>>> sysvol share and thus are subject to the same rules as any
>>> other files.
>>> Now I activated winbind and those files now belong to a non-numeric
>>> group and rsync complains.
>>>
>>> Maybe a hint in that regard on
>>> https://wiki.samba.org/index.php/SysVol_Replication would be nice.
>>>
>>> What is the best practice in regard to all those groups like "Domain
>>> Admins" "Printer Operators" and so on?
>>> Should those get posix uid/gid numbers? Could somebody point me in the
>>> right direction?
>>>
>>> Thanks
>>> -henrik
>>>
>

More information about the samba mailing list