[Samba] Rights issue on GPO

Tue Jun 21 10:47:32 UTC 2016

Am 21.06.2016 um 12:10 schrieb lists:
> Hi Achim, list,
>
> On 21-6-2016 11:26, Achim Gottinger wrote:
>> Exactly, rsync should map user and group names if the demon on the
>> destination runs as root. But this does not work. I tested it with an
>> group named test with gid 1000 on server #1 and gid 1001 on server #2.
>> It works if rsync is used via ssh like this
>> rsync -vv -XAavz -e ssh root at server2:/var/lib/samba/private/sysvol/
>> /var/lib/samba/private/sysvol/
>> Seems to be an issue with rsync causing trouble with sysvols.
>>
>> achim~
>
> I just tried your suggestion, rsync over ssh vs rsync to rsyncd, and 
> much to my surprise, there is a difference in the resulting data?!
>
> However unfortunately on our DC4, also rsync over ssh doesn't give us 
> the same getfacl output as on DC2/DC3, but it's surprising (to me) 
> that there is a difference at all:
>
> rsync to rsyncd result on DC4:
>> root at dc4:~/sysvol# getfacl /var/lib/samba/sysvol
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:3000009:r-x
>> user:OURDOMAIN\134proxmox$:rwx
>> group::rwx
>> group:1078:r-x
>> group:BUILTIN\134administrators:rwx
>> group:3000009:r-x
>> group:OURDOMAIN\134proxmox$:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:3000009:r-x
>> default:user:OURDOMAIN\134proxmox$:rwx
>> default:group::---
>> default:group:1078:r-x
>> default:group:BUILTIN\134administrators:rwx
>> default:group:3000009:r-x
>> default:group:OURDOMAIN\134proxmox$:rwx
>> default:mask::rwx
>> default:other::---
>
> rsync over ssh result on DC4:
>> root at dc4:~/sysvol# getfacl sysvol/
>> # file: sysvol/
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:3000009:r-x
>> user:OURDOMAIN\134proxmox$:rwx
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:3000009:r-x
>> group:BUILTIN\134server\040operators:r-x
>> group:OURDOMAIN\134proxmox$:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:3000009:r-x
>> default:user:OURDOMAIN\134proxmox$:rwx
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:3000009:r-x
>> default:group:BUILTIN\134server\040operators:r-x
>> default:group:OURDOMAIN\134proxmox$:rwx
>> default:mask::rwx
>> default:other::---
>
> And the 'original' getfacl on both DC2/DC3 looks like this:
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:3000009:r-x
>> user:3000300:rwx
>> group::rwx
>> group:BUILTIN\134server\040operators:r-x
>> group:BUILTIN\134administrators:rwx
>> group:3000009:r-x
>> group:3000300:rwx
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:3000009:r-x
>> default:user:3000300:rwx
>> default:group::---
>> default:group:BUILTIN\134server\040operators:r-x
>> default:group:BUILTIN\134administrators:rwx
>> default:group:3000009:r-x
>> default:group:3000300:rwx
>> default:mask::rwx
>> default:other::---
>
> So even though your solution causes a change, our DC4 still looks not 
> completely healthy... Suggestions to cure our DC4 would be very much 
> appreciated...
>
> But there is a much more fundamental question... how come here is 
> difference between (rsync over ssh) vs (rsync to rsyncd)??!
>
> MJ
>
Looks like on DC4 3000300 is mapped to an computer account for "proxmox".

On DC2/DC32 3000009 should map to S-1-5-18 (Local System) and 3000300 
S-1-5-11 (Autheticated Users).
These are both Security groups which do not resolv via winbindd so they 
can not be mapped. (you may add manual mapping via the --groupmap on 
your rsync commandline).

I assume you can delete the mapping for 3000300 on dc4 and change the 
mapping for  S-1-5-11 to 3000300 (and S-1-5-18 to 3000009 if that id is 
not used by something else) in idmap.ldb on DC4. After an cache flush 
sync things should work again.