[Samba] Rights issue on GPO

Sébastien Le Ray sebastien-samba at orniz.org
Fri Jun 10 08:10:43 UTC 2016

Le 10/06/2016 à 09:26, Rowland penny a écrit :
> On 10/06/16 07:52, Sébastien Le Ray wrote:
>> Hi
>> Wasn't this supposed to be solved in 4.2?
>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups 
>> The wiki seems to say that Builtin xID are now replicated but there 
>> is no clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping 
>> will be stored in 4.2 winbind? What happens when you upgrade the 4.1 
>> to 4.2?)
> Well, it is and it isn't, yes winbindd will display the user & group 
> names for sysvol, but sysvol still isn't replicated between DCs. I 
> think this means that when you sync sysvol manually, you will get the 
> ID's from the first DC applied to sysvol on the second DC and if there 
> is a difference in ID numbers between the DC's, you will either just 
> get a number or, even worse, a wrong name returned.
> I could be wrong, but I still think you need to keep idmap.ldb in sync 
> on all DCs, if you are syncing sysvol.

OK got it, the main difference is that ids => name mapping /is active/ 
on DC. So you can avoid idmap.ldb syncing if you don't use --numeric-ids 
in your rsync command… as long as receiving DC "knows" the group (name 
will be resolved to ID so id mismatch doesn't matter).
I think the wiki could be updated to completly remove the 4.2 statement 
if my assumption is correct because if receiving DC never "saw" the 
BUILTIN group owning a file it'll still be mapped to the same id as the 
sender… which let us in a inconsistent state

More information about the samba mailing list