[Samba] Rights issue on GPO

lists lists at merit.unu.edu
Mon Jun 20 18:35:14 UTC 2016 

Hi Rowland, list,

On 20-6-2016 20:04, Rowland penny wrote:
> If you are using Sernet 4.4.4 packages, you must have a Sernet
> subscription, you may get quicker help there.
Well I'm not sure this kind of support is included, but even if it were, 
then others would not benefit from the dialogue with their support. :-)

> I was wrong, if you are using 4.2.0 or later, you do not need to sync
> idmap.ldb, winbindd should report the correct user/groupname.
It does do that on all DCs, yes.

> try running getfacl on the sysvol dir, you should get something like this:
>
> root at dc1:~# getfacl /usr/local/samba/var/locks/sysvol
...snip
> default:mask::rwx
> default:other::---
>
> You should have two mapped users/groups and two unmapped ones.
> Repeat on the other DCs, then open 'idmap.ldb' on each DC with ldbedit
> and check that the unmapped ones are mapped to the same windows RIDs,
> which should be CN=S-1-5-18 and CN=S-1-5-11
So, they are the same on DC2 and DC3, but the xid for CN=S-1-5-18 is 
different on DC4 (DC4 is 3000024, compared to 3000300 on the DC2/DC3)

Also getfacl /var/lib/samba/sysvol looks very different on DC4:
> root at dc4:~# getfacl /var/lib/samba/sysvol/
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:3000009:r-x
> user:OURDOMAIN\134proxmox$:rwx
> group::rwx
> group:BUILTIN\134server\040operators:r-x
> group:BUILTIN\134administrators:rwx
> group:3000009:r-x
> group:OURDOMAIN\134proxmox$:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:3000009:r-x
> default:user:OURDOMAIN\134proxmox$:rwx
> default:group::---
> default:group:BUILTIN\134server\040operators:r-x
> default:group:BUILTIN\134administrators:rwx
> default:group:3000009:r-x
> default:group:OURDOMAIN\134proxmox$:rwx
> default:mask::rwx
> default:other::---

So the 'unmapped group' 3000300 has become a domain group.

I'm guessing that we need to solve this. Could you tell me how?

> If they are all the same, no problem, if not, then we will come to that
> if we have to :-)
Well, then if you would be so kind...? ;-)

Thanks very much Rowland!

MJ

More information about the samba mailing list