[Samba] posix gid mapping of built-in groups

steve steve at steve-ss.com
Mon Jun 23 11:35:51 MDT 2014


On Mon, 2014-06-23 at 19:05 +0200, Henrik Langos wrote:
> On 06/23/14 17:30, steve wrote:
> > On Mon, 2014-06-23 at 17:03 +0200, Henrik Langos wrote:
> >> On 06/23/14 15:07, steve wrote:
> >>> On Mon, 2014-06-23 at 14:30 +0200, Henrik Langos wrote:
> >>>> Here's a little example for what happens:
> >>> Hi
> >>> The best way around it is to copy the idmap db from DC1 to DC2 and then
> >>> call sysvol reset.
> >> Sounds reasonable. Thank you!
> >>
> >> How do I "call sysvol reset" ? (Showing my almost complete Samba4
> >> ignorance here :-) )
> > Sorry, it's:
> > samba-tool ntacl sysvolreset
> 
> Thank you!
> 
> I just did "samba-tool ntacl sysvolcheck" and had both DC1 and DC2 
> report errors:
> 
> root at DC1:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/ads.example.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
> 249, in run
>      lp)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1695, in checksysvolacl
>      direct_db_access)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1646, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1612, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % (acl_type(direct_db_access), 
> os.path.join(root, name), fsacl_sddl, acl))
> root at DC1:~#
> 
> 
> root at DC2:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
> ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/ads.example.local/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Shutdown 
> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 
> 249, in run
>      lp)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1695, in checksysvolacl
>      direct_db_access)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1646, in check_gpos_acl
>      domainsid, direct_db_access)
>    File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", 
> line 1612, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % (acl_type(direct_db_access), 
> os.path.join(root, name), fsacl_sddl, acl))
> root at DC2:~#
> 
> Now I did
> - reset the ACLs on DC1 then with "samba-tool ntacl sysvolreset"
> - stoped samba on DC2
> - copied idmad.ldb to DC2
> - started samba on DC2
> - verified that "samba-tool ntacl sysvolcheck" still reported errors.
> - waited for rsync to straighten out permissions
> - verified that "samba-tool ntacl sysvolcheck" reported no more problem 
> after rsync did its work.
> - activated "group winbind" in nsswitch.conf and verified that now IDs 
> are the same across DC1 and DC2
> 
> Great!! Thank you so much!
Thanks for reproducing this. It would be great if this could be included
in the wiki as it solves many of the GPO problems we see here on the
list.
> 
> >> And will newly created users/groups have their uid synced, or should go
> >> with posix ids for those?
> > No, not just with the above action. To do that, have a look at:
> > samba-tool user create henrik --uid-number=3000100 --gidNumber=513
> 
> Ok. So I'd have to provide posix id's to those users and groups to have 
> them stable across DCs.
> ( I've already had my share of fun with ADUC clobbering the IDs I 
> provided via samba-tool,  but I figured out how to get around that, too. )
> I guess I am good to go. I finally feel half way prepared to move some 
> early adopter users into the domain. Thank you very much for your help!
> 
> 
> One more thing. If I decide to give the existing built-in groups posix 
> IDs, how would I go about changing the extended acls for the existing 
> files, in order to match the new numeric IDs ? (Yes, if possible I'd 
> like to get them out of that 3000xxx range in order to see which ones 
> I've messed with and which ones I left alone. ;-) )
> 
> I guess for the files on sysvol I could go ahead, change the IDs and 
> leave the mess to "samba-tool ntacl sysvolreset ". But is there a 
> generic way to replace one uid/gid in those extended posix ACLs by 
> another if changes become necessary?
As you've just seen, the sysvol posix information is _not_ stored in AD
and in any case, it would not affect your user's files, so now sysvol is
as it should be it is best to leave it.

We'd recommend sticking with the 3000000+ range for user uidNumbers for
your domain users as this keeps them well away from any local Unix users
you may have on the system. 
> 
> And would I have done enough, or are there more places that would need 
> to be touched?
Any file that was created before you changed the uidNumber will have to
have its new number assigned so you'll need a script which finds the old
uidNumber and replaces it with the new uidNumber. If your file server
has a lot of data, this can take a long time. A simple chown
domain-user:domain-group on an existing ext4 fs will work but make sure
you have your nsswitch returning the values from AD and not from
elsewhere. The latter is one of the biggest gotchas on this list;) 
> 
> I've just read http://users.suse.com/~agruen/acl/linux-acls/online/ and 
> I wonder where samba stores the other permissions that are not easily 
> mapped to posix ACLs.

For really obscure acls I believe that it stores them as sddl values
under the group dn. We've never met anything yet which has affected
files owned by domain objects, although be aware that what you see in a
file listing over cifs is rarely what exists at fs level.

HTH
Steve




More information about the samba mailing list