[Samba] posix gid mapping of built-in groups

Henrik Langos hlangos-samba at innominate.com
Mon Jun 23 11:05:18 MDT 2014 

On 06/23/14 17:30, steve wrote:
> On Mon, 2014-06-23 at 17:03 +0200, Henrik Langos wrote:
>> On 06/23/14 15:07, steve wrote:
>>> On Mon, 2014-06-23 at 14:30 +0200, Henrik Langos wrote:
>>>> Here's a little example for what happens:
>>> Hi
>>> The best way around it is to copy the idmap db from DC1 to DC2 and then
>>> call sysvol reset.
>> Sounds reasonable. Thank you!
>>
>> How do I "call sysvol reset" ? (Showing my almost complete Samba4
>> ignorance here :-) )
> Sorry, it's:
> samba-tool ntacl sysvolreset

Thank you!

I just did "samba-tool ntacl sysvolcheck" and had both DC1 and DC2 
report errors:

root at DC1:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/ads.example.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
249, in run
     lp)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1695, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1646, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1612, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))
root at DC1:~#


root at DC2:~# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/ads.example.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Shutdown 
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
249, in run
     lp)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1695, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1646, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
line 1612, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))
root at DC2:~#

Now I did
- reset the ACLs on DC1 then with "samba-tool ntacl sysvolreset"
- stoped samba on DC2
- copied idmad.ldb to DC2
- started samba on DC2
- verified that "samba-tool ntacl sysvolcheck" still reported errors.
- waited for rsync to straighten out permissions
- verified that "samba-tool ntacl sysvolcheck" reported no more problem 
after rsync did its work.
- activated "group winbind" in nsswitch.conf and verified that now IDs 
are the same across DC1 and DC2

Great!! Thank you so much!

>> And will newly created users/groups have their uid synced, or should go
>> with posix ids for those?
> No, not just with the above action. To do that, have a look at:
> samba-tool user create henrik --uid-number=3000100 --gidNumber=513

Ok. So I'd have to provide posix id's to those users and groups to have 
them stable across DCs.
( I've already had my share of fun with ADUC clobbering the IDs I 
provided via samba-tool,  but I figured out how to get around that, too. )
I guess I am good to go. I finally feel half way prepared to move some 
early adopter users into the domain. Thank you very much for your help!


One more thing. If I decide to give the existing built-in groups posix 
IDs, how would I go about changing the extended acls for the existing 
files, in order to match the new numeric IDs ? (Yes, if possible I'd 
like to get them out of that 3000xxx range in order to see which ones 
I've messed with and which ones I left alone. ;-) )

I guess for the files on sysvol I could go ahead, change the IDs and 
leave the mess to "samba-tool ntacl sysvolreset ". But is there a 
generic way to replace one uid/gid in those extended posix ACLs by 
another if changes become necessary?

And would I have done enough, or are there more places that would need 
to be touched?

I've just read http://users.suse.com/~agruen/acl/linux-acls/online/ and 
I wonder where samba stores the other permissions that are not easily 
mapped to posix ACLs.


cheers
-henrik

More information about the samba mailing list