[Samba] posix gid mapping of built-in groups
hlangos-samba at innominate.com
Tue Jun 24 06:57:40 MDT 2014
On 06/23/14 19:35, steve wrote:
> On Mon, 2014-06-23 at 19:05 +0200, Henrik Langos wrote:
>> On 06/23/14 17:30, steve wrote:
>>> On Mon, 2014-06-23 at 17:03 +0200, Henrik Langos wrote:
>>>> On 06/23/14 15:07, steve wrote:
>>>>> On Mon, 2014-06-23 at 14:30 +0200, Henrik Langos wrote:
>>>>>> Here's a little example for what happens:
>>>>> The best way around it is to copy the idmap db from DC1 to DC2 and then
>>>>> call sysvol reset.
>>>> Sounds reasonable. Thank you!
>>>> How do I "call sysvol reset" ? (Showing my almost complete Samba4
>>>> ignorance here :-) )
>>> Sorry, it's:
>>> samba-tool ntacl sysvolreset
>> Thank you!
>> I just did "samba-tool ntacl sysvolcheck" and had both DC1 and DC2
>> report errors:
>> Now I did
>> - reset the ACLs on DC1 then with "samba-tool ntacl sysvolreset"
>> - stoped samba on DC2
>> - copied idmad.ldb to DC2
>> - started samba on DC2
>> - verified that "samba-tool ntacl sysvolcheck" still reported errors.
>> - waited for rsync to straighten out permissions
>> - verified that "samba-tool ntacl sysvolcheck" reported no more problem
>> after rsync did its work.
>> - activated "group winbind" in nsswitch.conf and verified that now IDs
>> are the same across DC1 and DC2
>> Great!! Thank you so much!
> Thanks for reproducing this. It would be great if this could be included
> in the wiki as it solves many of the GPO problems we see here on the
I'll try to do that. I've got my wiki login and (time permitting) I'll
do those changes this week or next.
>>>> And will newly created users/groups have their uid synced, or should go
>>>> with posix ids for those?
>>> No, not just with the above action. To do that, have a look at:
>>> samba-tool user create henrik --uid-number=3000100 --gidNumber=513
>> Ok. So I'd have to provide posix id's to those users and groups to have
>> them stable across DCs.
>> ( I've already had my share of fun with ADUC clobbering the IDs I
>> provided via samba-tool, but I figured out how to get around that, too. )
>> I guess I am good to go. I finally feel half way prepared to move some
>> early adopter users into the domain. Thank you very much for your help!
>> One more thing. If I decide to give the existing built-in groups posix
>> IDs, how would I go about changing the extended acls for the existing
>> files, in order to match the new numeric IDs ? (Yes, if possible I'd
>> like to get them out of that 3000xxx range in order to see which ones
>> I've messed with and which ones I left alone. ;-) )
>> I guess for the files on sysvol I could go ahead, change the IDs and
>> leave the mess to "samba-tool ntacl sysvolreset ". But is there a
>> generic way to replace one uid/gid in those extended posix ACLs by
>> another if changes become necessary?
> As you've just seen, the sysvol posix information is _not_ stored in AD
> and in any case, it would not affect your user's files, so now sysvol is
> as it should be it is best to leave it.
> We'd recommend sticking with the 3000000+ range for user uidNumbers for
> your domain users as this keeps them well away from any local Unix users
> you may have on the system.
Well, If I
A) stick to that range, and
B) give uid numbers on the samba-tool command line,
how do I avoid giving one of my new groups an ID that is already used by
Samba's own mapping mechanism?
E.g. I look at the output of "getent group" and I don't see 3000002. But
from getfacl on a policy file I know that it is in use.
I know I can find the windows group / user if I know they are in use:
root at DC2:~# wbinfo -G 3000002
root at DC2:~# wbinfo -s S-1-5-18
NT AUTHORITY+SYSTEM 5
root at DC2:~#
But how do I keep track of the next free uid/gid if I provide those
manually to samba-tool ?
I guess I'd prefer
A) to leave that management to Samba, or
B) to manage those IDs myself in a range that doesn't interfere with
local users/groups or Windows users/groups.
>> And would I have done enough, or are there more places that would need
>> to be touched?
> Any file that was created before you changed the uidNumber will have to
> have its new number assigned so you'll need a script which finds the old
> uidNumber and replaces it with the new uidNumber. If your file server
> has a lot of data, this can take a long time. A simple chown
> domain-user:domain-group on an existing ext4 fs will work but make sure
> you have your nsswitch returning the values from AD and not from
> elsewhere. The latter is one of the biggest gotchas on this list;)
The simple "chown" will work if I change the id numbers of the owning
user or group.
But if I change the id of a group that is only listed in the extended
posix ACLs of a file,
then I am in for a long scripting session with getfacl, <insert favorte
scripting language> and setfacl.
Simple use case: You have a directory that is readable for all users
that belong to your "marketing" group, one subdirectory however is also
read/write for users that belong to the "online marketing" group. In all
likelihood the additional write permission ends up in an extended ACL
while the posix 1 ACLs show the file belonging to user "Jane" and group
"Domain Users" . Now if I change the gid number of "marketing" or
"online marketing" I'd probably have to manually dig into those extended
Unless there already is a command line tool to manipulate extended posix
ACLs in a more user friendly way?
>> I've just read http://users.suse.com/~agruen/acl/linux-acls/online/ and
>> I wonder where samba stores the other permissions that are not easily
>> mapped to posix ACLs.
> For really obscure acls I believe that it stores them as sddl values
> under the group dn. We've never met anything yet which has affected
> files owned by domain objects, although be aware that what you see in a
> file listing over cifs is rarely what exists at fs level.
It helps a lot! Thank you!
More information about the samba