[Samba] Rights issue on GPO

Rowland penny rpenny at samba.org
Mon Jun 20 18:04:30 UTC 2016 

On 20/06/16 18:19, lists wrote:
> Hi all,
>
> Following this thread with interest, as we are also having some issues 
> with GPO (they work on and off, unpredictably)
> We checked iddap.ldb on the DCs and noticed differences between DCs.
>
> We would like to ask some questions:
>
> On 10-6-2016 9:26, Rowland penny wrote:
>> Well, it is and it isn't, yes winbindd will display the user & group
>> names for sysvol, but sysvol still isn't replicated between DCs. I think
>> this means that when you sync sysvol manually, you will get the ID's
>> from the first DC applied to sysvol on the second DC and if there is a
>> difference in ID numbers between the DC's, you will either just get a
>> number or, even worse, a wrong name returned.
>>
>> I could be wrong, but I still think you need to keep idmap.ldb in sync
>> on all DCs, if you are syncing sysvol.
>
> We are on sernet-samba-4.4.4 on the DCs, and "winbindd -D" is running 
> on DCs.

If you are using Sernet 4.4.4 packages, you must have a Sernet 
subscription, you may get quicker help there.

>
> We understand we need to keep idmap.ldb in sync. We did this in the 
> past, but it seems they have gotten out of sync again.
> One question: HOW OFTEN do we need to do manually sync the imap.ldb 
> files? After each and every regular user addition/deletion?

I was wrong, if you are using 4.2.0 or later, you do not need to sync 
idmap.ldb, winbindd should report the correct user/groupname.

>
> We are currently on sernet-4.4.4 on the 3 DCs, but on our fileserver 
> we are still on samba 4.2.11 and sssd. Would that last bit have any 
> impact on the GPO situation..? (i don't think so, because GPOs are on 
> the DCs and not on the fileserver..?)
>

It shouldn't, because, as you say, GPO's are only stored on the DC's.

> Since our idmap.ldb differs per DC, HOW to choose which one to copy to 
> the other DCs? Choosing wrongly will probably have major implications..?

try running getfacl on the sysvol dir, you should get something like this:

root at dc1:~# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
# flags: -s-
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

You should have two mapped users/groups and two unmapped ones.
Repeat on the other DCs, then open 'idmap.ldb' on each DC with ldbedit 
and check that the unmapped ones are mapped to the same windows RIDs, 
which should be CN=S-1-5-18 and CN=S-1-5-11

If they are all the same, no problem, if not, then we will come to that 
if we have to :-)

Rowland

>
> Sorry to ask so many questions, hopefully someone will answer.
>
> Best regards,
> MJ
>

More information about the samba mailing list