[Samba] Rights issue on GPO
rpenny at samba.org
Fri Jun 10 07:26:13 UTC 2016
On 10/06/16 07:52, Sébastien Le Ray wrote:
> Le 09/06/2016 à 20:42, Rowland penny a écrit :
>> On 08/06/16 15:34, mathias dufresne wrote:
>>> Hi all,
>>> And we get issue with Linux ACLs: they are not the same because some
>>> BUILTIN users and/or groups do not have same id mapping on all DC.
>>> How to force all DC to get same id mapping?
>>> Using "acl_xattr:ignore system acls = yes", are Linux ACLs still
>>> or are we supposed to use Windows ACLs only into stored into some Samba
>>> file? In that case, which file(s)?
> They're stored in each file xattr as an obscure base64 encoded value
> BUT in all cases unix permissions applies when accessing through
> samba. So disabling ACLs means that you've to set the properties
> correctly to allow "samba" unix users to access files (there's no
> clear doc on that…)
>> OK, first you do not need this on a DC: 'winbind nss info = rfc2307'
>> Secondly, your different id mappings for BUILTIN users & groups is a
>> well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber'
>> attributes and seem to be given on a first come basis, only problem
>> is, the groups etc don't connect in the same order on every DC.
> Wasn't this supposed to be solved in 4.2?
> The wiki seems to say that Builtin xID are now replicated but there is
> no clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping will
> be stored in 4.2 winbind? What happens when you upgrade the 4.1 to 4.2?)
Well, it is and it isn't, yes winbindd will display the user & group
names for sysvol, but sysvol still isn't replicated between DCs. I think
this means that when you sync sysvol manually, you will get the ID's
from the first DC applied to sysvol on the second DC and if there is a
difference in ID numbers between the DC's, you will either just get a
number or, even worse, a wrong name returned.
I could be wrong, but I still think you need to keep idmap.ldb in sync
on all DCs, if you are syncing sysvol.
>> To get the same ID's on every DC, you will have to copy idmap.ldb
>> from the first DC to every other DC, run 'net cache flush' and then
>> keep 'idmap.ldb' in sync.
More information about the samba