[Samba] posix gid mapping of built-in groups

Henrik Langos hlangos-samba at innominate.com
Tue Jun 24 06:57:40 MDT 2014

On 06/23/14 19:35, steve wrote:
> On Mon, 2014-06-23 at 19:05 +0200, Henrik Langos wrote:
>> On 06/23/14 17:30, steve wrote:
>>> On Mon, 2014-06-23 at 17:03 +0200, Henrik Langos wrote:
>>>> On 06/23/14 15:07, steve wrote:
>>>>> On Mon, 2014-06-23 at 14:30 +0200, Henrik Langos wrote:
>>>>>> Here's a little example for what happens:
>>>>> Hi
>>>>> The best way around it is to copy the idmap db from DC1 to DC2 and then
>>>>> call sysvol reset.
>>>> Sounds reasonable. Thank you!
>>>> How do I "call sysvol reset" ? (Showing my almost complete Samba4
>>>> ignorance here :-) )
>>> Sorry, it's:
>>> samba-tool ntacl sysvolreset
>> Thank you!
>> I just did "samba-tool ntacl sysvolcheck" and had both DC1 and DC2
>> report errors:
>> ...
>> Now I did
>> - reset the ACLs on DC1 then with "samba-tool ntacl sysvolreset"
>> - stoped samba on DC2
>> - copied idmad.ldb to DC2
>> - started samba on DC2
>> - verified that "samba-tool ntacl sysvolcheck" still reported errors.
>> - waited for rsync to straighten out permissions
>> - verified that "samba-tool ntacl sysvolcheck" reported no more problem
>> after rsync did its work.
>> - activated "group winbind" in nsswitch.conf and verified that now IDs
>> are the same across DC1 and DC2
>> Great!! Thank you so much!
> Thanks for reproducing this. It would be great if this could be included
> in the wiki as it solves many of the GPO problems we see here on the
> list.

I'll try to do that. I've got my wiki login and (time permitting) I'll 
do those changes this week or next.

>>>> And will newly created users/groups have their uid synced, or should go
>>>> with posix ids for those?
>>> No, not just with the above action. To do that, have a look at:
>>> samba-tool user create henrik --uid-number=3000100 --gidNumber=513
>> Ok. So I'd have to provide posix id's to those users and groups to have
>> them stable across DCs.
>> ( I've already had my share of fun with ADUC clobbering the IDs I
>> provided via samba-tool,  but I figured out how to get around that, too. )
>> I guess I am good to go. I finally feel half way prepared to move some
>> early adopter users into the domain. Thank you very much for your help!
>> One more thing. If I decide to give the existing built-in groups posix
>> IDs, how would I go about changing the extended acls for the existing
>> files, in order to match the new numeric IDs ? (Yes, if possible I'd
>> like to get them out of that 3000xxx range in order to see which ones
>> I've messed with and which ones I left alone. ;-) )
>> I guess for the files on sysvol I could go ahead, change the IDs and
>> leave the mess to "samba-tool ntacl sysvolreset ". But is there a
>> generic way to replace one uid/gid in those extended posix ACLs by
>> another if changes become necessary?
> As you've just seen, the sysvol posix information is _not_ stored in AD
> and in any case, it would not affect your user's files, so now sysvol is
> as it should be it is best to leave it.
> We'd recommend sticking with the 3000000+ range for user uidNumbers for
> your domain users as this keeps them well away from any local Unix users
> you may have on the system.

Well, If I
A) stick to that range, and
B) give uid numbers on the samba-tool command line,
how do I avoid giving one of my new groups an ID that is already used by 
Samba's own mapping mechanism?

E.g. I look at the output of "getent group" and I don't see 3000002. But 
from getfacl on a policy file I know that it is in use.
I know I can find the windows group / user if I know they are in use:

root at DC2:~# wbinfo -G 3000002
root at DC2:~# wbinfo -s S-1-5-18
root at DC2:~#

But how do I keep track of the next free uid/gid if I provide those 
manually to samba-tool ?

I guess I'd prefer
A) to leave that management to Samba, or
B) to manage those IDs myself in a range that doesn't interfere with 
local users/groups or Windows users/groups.

>> And would I have done enough, or are there more places that would need
>> to be touched?
> Any file that was created before you changed the uidNumber will have to
> have its new number assigned so you'll need a script which finds the old
> uidNumber and replaces it with the new uidNumber. If your file server
> has a lot of data, this can take a long time. A simple chown
> domain-user:domain-group on an existing ext4 fs will work but make sure
> you have your nsswitch returning the values from AD and not from
> elsewhere. The latter is one of the biggest gotchas on this list;)

The simple "chown" will work if I change the id numbers of the owning 
user or group.
But if I change the id of a group that is only listed in the extended 
posix ACLs of a file,
then I am in for a long scripting session with getfacl, <insert favorte 
scripting language> and setfacl.

Simple use case: You have a directory that is readable for all users 
that belong to your "marketing" group, one subdirectory however is also 
read/write for users that belong to the "online marketing" group. In all 
likelihood the additional write permission ends up in an extended ACL 
while the posix 1 ACLs show the file belonging to user "Jane" and group 
"Domain Users" . Now if I change the gid number of "marketing" or 
"online marketing" I'd probably have to manually dig into those extended 

Unless there already is a command line tool to manipulate extended posix 
ACLs in a more user friendly way?

>> I've just read http://users.suse.com/~agruen/acl/linux-acls/online/ and
>> I wonder where samba stores the other permissions that are not easily
>> mapped to posix ACLs.
> For really obscure acls I believe that it stores them as sddl values
> under the group dn. We've never met anything yet which has affected
> files owned by domain objects, although be aware that what you see in a
> file listing over cifs is rarely what exists at fs level.
> Steve
It helps a lot! Thank you!


More information about the samba mailing list