[Samba] Rights issue on GPO

Rowland penny rpenny at samba.org
Thu Jun 9 18:42:07 UTC 2016

On 08/06/16 15:34, mathias dufresne wrote:
> Hi all,
> Here is our smb.conf:
> [global]
>          workgroup = AD
>          realm = AD.DOMAIN.TLD
>          netbios name = DC200
>          server role = active directory domain controller
>          server services = -dns
>          idmap_ldb:use rfc2307 = yes
>          #kccsrv:samba_kcc=true
>          acl_xattr:ignore system acls = yes
>          winbind nss info = rfc2307
> [netlogon]
>          path = /var/lib/samba/sysvol/ad.domain.tld/scripts
>          read only = No
> [sysvol]
>          path = /var/lib/samba/sysvol
>          read only = No
> That's the same on all DC.
> We synchronize sysvol directory using rsync with the following command:
> rsync -XAavz --delete-after
> --password-file=/var/lib/samba/private/rsync_client.secret
> rsync://sysvol-replication@dc200/SysVol/ /var/lib/samba/sysvol/
> And we get issue with Linux ACLs: they are not the same because some
> BUILTIN users and/or groups do not have same id mapping on all DC.
> How to force all DC to get same id mapping?
> Using "acl_xattr:ignore system acls = yes", are Linux ACLs still important
> or are we supposed to use Windows ACLs only into stored into some Samba
> file? In that case, which file(s)?
> Cheers,
> mathias

OK, first you do not need this on a DC: 'winbind nss info = rfc2307'

Secondly, your different id mappings for BUILTIN users & groups is a 
well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber' 
attributes and seem to be given on a first come basis, only problem is, 
the groups etc don't connect in the same order on every DC.

To get the same ID's on every DC, you will have to copy idmap.ldb from 
the first DC to every other DC, run 'net cache flush' and then keep 
'idmap.ldb' in sync.


More information about the samba mailing list