[Samba] posix gid mapping of built-in groups
Henrik Langos
hlangos-samba at innominate.com
Mon Jun 23 11:05:18 MDT 2014
On 06/23/14 17:30, steve wrote:
> On Mon, 2014-06-23 at 17:03 +0200, Henrik Langos wrote:
>> On 06/23/14 15:07, steve wrote:
>>> On Mon, 2014-06-23 at 14:30 +0200, Henrik Langos wrote:
>>>> Here's a little example for what happens:
>>> Hi
>>> The best way around it is to copy the idmap db from DC1 to DC2 and then
>>> call sysvol reset.
>> Sounds reasonable. Thank you!
>>
>> How do I "call sysvol reset" ? (Showing my almost complete Samba4
>> ignorance here :-) )
> Sorry, it's:
> samba-tool ntacl sysvolreset
Thank you!
I just did "samba-tool ntacl sysvolcheck" and had both DC1 and DC2
report errors:
root at DC1:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ads.example.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1646, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1612, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
root at DC1:~#
root at DC2:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ads.example.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Shutdown
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1695, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1646, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1612, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))
root at DC2:~#
Now I did
- reset the ACLs on DC1 then with "samba-tool ntacl sysvolreset"
- stoped samba on DC2
- copied idmad.ldb to DC2
- started samba on DC2
- verified that "samba-tool ntacl sysvolcheck" still reported errors.
- waited for rsync to straighten out permissions
- verified that "samba-tool ntacl sysvolcheck" reported no more problem
after rsync did its work.
- activated "group winbind" in nsswitch.conf and verified that now IDs
are the same across DC1 and DC2
Great!! Thank you so much!
>> And will newly created users/groups have their uid synced, or should go
>> with posix ids for those?
> No, not just with the above action. To do that, have a look at:
> samba-tool user create henrik --uid-number=3000100 --gidNumber=513
Ok. So I'd have to provide posix id's to those users and groups to have
them stable across DCs.
( I've already had my share of fun with ADUC clobbering the IDs I
provided via samba-tool, but I figured out how to get around that, too. )
I guess I am good to go. I finally feel half way prepared to move some
early adopter users into the domain. Thank you very much for your help!
One more thing. If I decide to give the existing built-in groups posix
IDs, how would I go about changing the extended acls for the existing
files, in order to match the new numeric IDs ? (Yes, if possible I'd
like to get them out of that 3000xxx range in order to see which ones
I've messed with and which ones I left alone. ;-) )
I guess for the files on sysvol I could go ahead, change the IDs and
leave the mess to "samba-tool ntacl sysvolreset ". But is there a
generic way to replace one uid/gid in those extended posix ACLs by
another if changes become necessary?
And would I have done enough, or are there more places that would need
to be touched?
I've just read http://users.suse.com/~agruen/acl/linux-acls/online/ and
I wonder where samba stores the other permissions that are not easily
mapped to posix ACLs.
cheers
-henrik
More information about the samba
mailing list