[Samba] idmap configuration after initial deployment needed?
Rowland Penny
rowlandpenny at googlemail.com
Wed Oct 15 14:24:49 MDT 2014
On 15/10/14 21:00, James wrote:
> Hi Steve,
>
> It was based on the discussion using unison and rsync. I did
> attempt to use the sysvol reset command but it had no effect on my
> issue. I fixed the ACL's by going into each users redirected folder
> from a Windows workstation. Right clicking the affected folder and
> deleting the user or group from the security tab. After deletion I
> added the user or group permissions back.
>
> On 10/15/2014 3:50 PM, steve wrote:
>> On 15/10/14 17:51, Rowland Penny wrote:
>>> On 15/10/14 16:24, James wrote:
>>>> Hello,
>>>>
>>>> Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting
>>>> windows folders to a Samba DC. This DC is not the one that was
>>>> deployed first. Based on discussions from another thread I copied the
>>>> idmap.ldb from the initial DC to the others that are deployed. I
>>>> noticed upon doing so the file permissions on the shares were broken.
>>
>> Hi
>> Not sure which thread you read, but you should copy the db and then
>> run sysvolreset. I thought that this had appeared in the wiki recently.
>>
>>>> As in existing users were unable to see their documents or make
>>> modifications to them. I deleted them from the ACL list and reapplied
>>>> their appropriate permissions. This corrected that issue.
>>
>> How did you effect, 'reapplied appropriate permissions'? samba-tool?
>> José
>>
>>
>>>>
>>>> I also noticed that an issue I had with applying GPO's to users at
>>>> remote sites was now working again after making this change. With all
>>>> that being said. I was under the impressions that I only needed to add
>>>> idmap configurations to my smb.conf if I was using a member server to
>>>> handle shares from linux/unix users or workstations. I appear to be
>>>> wrong? Thanks for any assistance.
>>>>
>>> The problem starts with what microsoft calls 'Well-known security
>>> identifiers', these are mapped on the DC to xidNumbers, now where ever
>>> you go in AD, on a windows machine 'S-1-5-32-544' is the
>>> Administrators
>>> group, but as I said, on the DC this is mapped to an xidNumber, only
>>> problem is that you do not seem to get the same xidNumber on every
>>> samba4 DC, this is why idmap.ldb needs to copied from the first DC.
>>>
>>> There was some talk about mapping these SID's to a set group of
>>> numbers,
>>> but that is as far as it got, the problem being just what numbers to
>>> map
>>> them to or how to map them so that samba admins could choose the
>>> starting base.
>>>
>>> Rowland
>>
>
I Think I understand what happened, not only do the builtin users &
groups get mapped to a xidNumber, but so do any users & groups. So when
you copied the idmap.ldb to another machine, the users xidNumber's
changed as well.
Now this wouldn't be a problem with sysvol because the permissions can
be reset with samba-tool, but there doesn't seem to be anyway to reset
directed folders, other than the way you found by removing them and
then re-adding, which would reset them to the numbers that are now in
idmap.ldb.
Rowland
More information about the samba
mailing list