[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..

Rowland Penny rowlandpenny at googlemail.com
Thu Apr 30 02:31:37 MDT 2015 

On 30/04/15 09:09, L.P.H. van Belle wrote:
> ( sorry for mailing directly bjorn, but please have a look )
>
> I still think this is a bug..
>
> why not a bug:
> If i do assign a UID/GID to a user, then yes, this wil work fine.
> new users and groups sure.. but now im talking about the default domain groups..
>
> why a bug:
> User administrator and the domain groups are set by default by samba.
> and its not consistant at all which is needed for a replicated sysvol.
> yes, not supported by samba, but i hope samba is working on that, and then
> this wil be an issue also, better fix it now imo.
>
> let met explain what i see..
>
> administrator has uid 0..
> wbinfo -i DOMAIN\\administrator
> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false
> Administrator ... and not administrator..
>
> so now this is my result of my sysvol...
>   ls -n
> total 8
> drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 internal.domain.tld
> wbinfo --uid-info 0
> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
> administrator and not Administrator ?
>
> first 2 differences in usernames :  Administrator and administrator

Don't worry about that, this is just winbind normalising names

>
> wbinfo --uid-info 0
> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
> wbinfo -i DOMAIN\\administrator
> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false
>
> wbinfo -i DOMAIN\\Administrator
> administrator:*:0:100::/home/BAZRTD/administrator:/bin/false
> converted Adminsitrator to administrator.
>
> look at the homedir..  Caps A and not caps.  so 2 different folders.
> 2 different users.
> in total 3 users with uid 0 ( root, administrator and Administrator )

Now that is a problem

>
>
> in the sysvol/internal.domain.tld :
> ls -n
> total 16
> drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 Policies
> drwxrwx---+ 2 0 3000000 4096 Apr 28 13:32 scripts
>
> ls -l
> total 8
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 28 13:32 internal.domain.tld
>
> wbinfo --group-info "BUILTIN\administrators"
> BUILTIN\administrators:x:3000000:
>
> for the Policies folder :
> Policies# ls -n
> total 16
> drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 {6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> wbinfo --uid-info 3000008
> domain admins:*:3000008:3000008::/home/DOMAIN/domain admins:/bin/false
>
> wbinfo --gid-info 3000008
> domain admins:x:3000008:administrator
>
> wbinfo --group-info "DOMAIN\domain admins"
> domain admins:x:3000008:administrator
>
> wbinfo --user-info "DOMAIN\domain admins"
> domain admins:*:3000008:3000008::/home/BAZRTD/domain admins:/bin/false
>
>
> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
> # owner: domain\040admins
> # group: domain\040admins
> user::rwx
> group::rwx
> group:3000002:rwx
> group:3000003:r-x
> group:enterprise\040admins:rwx
> group:domain\040admins:rwx
> group:3000010:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:domain\040admins:rwx
> default:group::---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:enterprise\040admins:rwx
> default:group:domain\040admins:rwx
> default:group:3000010:r-x
> default:mask::rwx
> default:other::---
>
> the user owner is the group ?  how can the user owner be a group ?
> I this allowed ?  This i really dont know.

Yes this a mess and is caused by stupid stupid windows allowing groups 
to own files, therefore you end up with ID_TYPE_BOTH in idmap.ldb. From 
my investigations, it is only one group that owns files: Administrators, 
but instead of just making this group 'ID_TYPE_BOTH', samba makes a lot 
of groups 'ID_TYPE_BOTH', have a look in idmap.ldb.

I also tested replacing the ownership of files and dirs in sysvol, I 
changed 'Administrators' for 'Administrator' and changed all occurrences 
of  'ID_TYPE_BOTH' in idmap.ldb to what it actually is. Looking from 
windows, I couldn't see any difference, because (and I am no windows 
expert) I think that windows doesn't actually care who owns the files, 
it only seems to care about the ACLs.

Rowland

>
> so i have "user" : "domain admins"
> and i have group : "domain admins"
>
> Documentation lacks here, or i really cant find it..
>
> anyone any comment on this ?
>
>
>
> Greetz,
>
> Louis
>
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org]
>> Namens L.P.H. van Belle
>> Verzonden: donderdag 30 april 2015 8:10
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] FW: [Bug 11241] different ids even when
>> idmap.ldb copied. not abug..
>>
>> Please read the reported bug and bjorn answer.. which does not
>> help any to a solution of fix, or explenation.
>> But the big question now is, does someone somewhere know what
>> bjorn is talking about.
>>
>> i did search for "gencache" but no go here..
>> just from old documentation.
>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html
>> gencache.tdb  Generic caching database.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org]
>> Verzonden: woensdag 29 april 2015 17:51
>> Aan: L.P.H. van Belle
>> Onderwerp: [Bug 11241] different ids even when idmap.ldb copied.
>>
>> https://bugzilla.samba.org/show_bug.cgi?id=11241
>>
>> Björn Jacke <bj at sernet.de> changed:
>>
>>            What    |Removed                     |Added
>> ---------------------------------------------------------------
>> -------------
>>          Resolution|---                         |INVALID
>>              Status|NEW                         |RESOLVED
>>
>> --- Comment #1 from Björn Jacke <bj at sernet.de> ---
>> this is not a supported thing to do, so this is not a valid
>> bug. winbindd has a
>> different way of caching (investigate gencache for example)
>> entries and this is
>> probably what makes that hack stop working for you with winbindd.
>>
>> -- 
>> You are receiving this mail because:
>> You reported the bug.
>>
>> REPORTED BUG..
>>
>> Louis     2015-04-29 08:51:03 UTC
>> Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1
>> with in smb.conf
>> server services = -dns +winbindd -winbind
>> Of i set it to
>> server services = -dns -winbindd +winbind
>> it does work again.
>>
>> with 4.1.17 the solution was simple.. we stop samba on both servers.
>> scp /var/lib/samba/private/idmap.ldb
>> root at 192.168.0.2:/var/lib/samba/private/
>> started samba on both servers and
>> id administrator gave the same id's for all groups.
>>
>> Now on 4.2.1
>> DC1:  id administrator
>> uid=0(root) gid=100(users) groups=0(root),100(users),
>> 3000004(group policy creator owners),
>> 3000006(enterprise admins),
>> 3000008(domain admins),
>> 3000007(schema admins),
>> 3000005(denied rodc password replication group),
>> 3000009(BUILTIN\users),
>> 3000000(BUILTIN\administrators)
>>
>> id administrator
>> uid=0(root) gid=100(users) groups=0(root),100(users),
>> 3000011(group policy creator owners),
>> 3000010(enterprise admins),
>> 3000007(domain admins),
>> 3000009(schema admins),
>> 3000008(denied rodc password replication group),
>> 3000001(BUILTIN\users),
>> 3000000(BUILTIN\administrators)
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>

More information about the samba mailing list