[Samba] Rights issue on GPO

mathias dufresne infractory at gmail.com
Fri Jun 10 10:49:12 UTC 2016 

Thank you all for these replies.

2016-06-10 9:26 GMT+02:00 Rowland penny <rpenny at samba.org>:

> On 10/06/16 07:52, Sébastien Le Ray wrote:
>
>> Hi
>>
>>
>> Le 09/06/2016 à 20:42, Rowland penny a écrit :
>>
>>> On 08/06/16 15:34, mathias dufresne wrote:
>>>
>>>> Hi all,
>>>>
>>>> [snip]
>>>> And we get issue with Linux ACLs: they are not the same because some
>>>> BUILTIN users and/or groups do not have same id mapping on all DC.
>>>>
>>>> How to force all DC to get same id mapping?
>>>>
>>>> Using "acl_xattr:ignore system acls = yes", are Linux ACLs still
>>>> important
>>>> or are we supposed to use Windows ACLs only into stored into some Samba
>>>> file? In that case, which file(s)?
>>>>
>>>
>> They're stored in each file xattr as an obscure base64 encoded value
>> BUT in all cases unix permissions applies when accessing through samba.
>> So disabling ACLs means that you've to set the properties correctly to
>> allow "samba" unix users to access files (there's no clear doc on that…)
>>
>> OK, first you do not need this on a DC: 'winbind nss info = rfc2307'
>>>
>>> Secondly, your different id mappings for BUILTIN users & groups is a
>>> well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber'
>>> attributes and seem to be given on a first come basis, only problem is, the
>>> groups etc don't connect in the same order on every DC.
>>>
>>
>> Wasn't this supposed to be solved in 4.2?
>>
>> https://wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups
>> The wiki seems to say that Builtin xID are now replicated but there is no
>> clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping will be
>> stored in 4.2 winbind? What happens when you upgrade the 4.1 to 4.2?)
>>
>
> Well, it is and it isn't, yes winbindd will display the user & group names
> for sysvol, but sysvol still isn't replicated between DCs. I think this
> means that when you sync sysvol manually, you will get the ID's from the
> first DC applied to sysvol on the second DC and if there is a difference in
> ID numbers between the DC's, you will either just get a number or, even
> worse, a wrong name returned.
>
> I could be wrong, but I still think you need to keep idmap.ldb in sync on
> all DCs, if you are syncing sysvol.
>

At least here you were right: without syncing idmap.ldb followed by "net
cache flush" Sysvol rights were an awful mess and so GPO were retrieved
once on really too few (tests are done for now with around 20 DCs which
makes that kind of issue showing really quickly/often).

I'm about to add xidNumber to any users and groups in BUILTIN and Users
directories (in LDAP tree) to avoid as often as possible that idmap
process. I should come back to tell how things went.


>
> Rowland
>
>
>>
>>> To get the same ID's on every DC, you will have to copy idmap.ldb from
>>> the first DC to every other DC, run 'net cache flush' and then keep
>>> 'idmap.ldb' in sync.
>>>
>>> Regards
>>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list