[Samba] Rights issue on GPO

Rowland penny rpenny at samba.org
Fri Jun 10 07:26:13 UTC 2016

On 10/06/16 07:52, Sébastien Le Ray wrote:
> Hi
> Le 09/06/2016 à 20:42, Rowland penny a écrit :
>> On 08/06/16 15:34, mathias dufresne wrote:
>>> Hi all,
>>> [snip]
>>> And we get issue with Linux ACLs: they are not the same because some
>>> BUILTIN users and/or groups do not have same id mapping on all DC.
>>> How to force all DC to get same id mapping?
>>> Using "acl_xattr:ignore system acls = yes", are Linux ACLs still 
>>> important
>>> or are we supposed to use Windows ACLs only into stored into some Samba
>>> file? In that case, which file(s)?
> They're stored in each file xattr as an obscure base64 encoded value
> BUT in all cases unix permissions applies when accessing through 
> samba. So disabling ACLs means that you've to set the properties 
> correctly to allow "samba" unix users to access files (there's no 
> clear doc on that…)
>> OK, first you do not need this on a DC: 'winbind nss info = rfc2307'
>> Secondly, your different id mappings for BUILTIN users & groups is a 
>> well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber' 
>> attributes and seem to be given on a first come basis, only problem 
>> is, the groups etc don't connect in the same order on every DC.
> Wasn't this supposed to be solved in 4.2?
> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups 
> The wiki seems to say that Builtin xID are now replicated but there is 
> no clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping will 
> be stored in 4.2 winbind? What happens when you upgrade the 4.1 to 4.2?)

Well, it is and it isn't, yes winbindd will display the user & group 
names for sysvol, but sysvol still isn't replicated between DCs. I think 
this means that when you sync sysvol manually, you will get the ID's 
from the first DC applied to sysvol on the second DC and if there is a 
difference in ID numbers between the DC's, you will either just get a 
number or, even worse, a wrong name returned.

I could be wrong, but I still think you need to keep idmap.ldb in sync 
on all DCs, if you are syncing sysvol.

>> To get the same ID's on every DC, you will have to copy idmap.ldb 
>> from the first DC to every other DC, run 'net cache flush' and then 
>> keep 'idmap.ldb' in sync.
> Regards

More information about the samba mailing list