[Samba] Rights issue on GPO
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Fri Jun 24 13:24:04 UTC 2016
On 6/22/2016 12:21 PM, mathias dufresne wrote:
> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>
>> @Mathias,
>>
>> Pretty strange then, running some years like this without any problem.
>> Yes we had few problems with "rights" in sysvol, but i fixed this all
>> outside linux, and with that i mean. Changed rights from within windows or
>> added registry changes or patches, or a local clean up of the policies.
>>
>> At the install of my DC2 i also synced the idmap.ldb, and then a
>> net idmap flush on both servers to make my both dc's in sync.
>> And i keep it in sync with my rsync/unison setup.
>>
>> All new added, but i'll keep an eye also in this and i'll recheck my logs.
>> But i dont think i'll find anything here.
>> I'll keep notice on your "workaround".
>>
>> Which backend are you using matias?
>> Mine : (idmap config NTDOMAIN : backend = ad)
>>
>>
>> Gr.
>>
>> Louis
>>
>>
> OK you keep idmap.ldb synched, that's what I missed until few days and was
> the reason that is was not working.
> Our choice to give each and users and groups into AD some xID is only to
> avoid usage of mapping. I expect the synchronization of idmap.ldb (if done
> often enough) would be sufficient. But I don't always like magic : )
>
> Thank you for precisions !
>
>
> Cheers all
>
>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
>> dufresne
>>> Verzonden: woensdag 22 juni 2016 15:31
>>> Aan: lingpanda101 at gmail.com
>>> CC: samba
>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>
>>> @LPH van Belle
>>> I did tried (and still use) "acl_xattr:ignore system acls = yes" as shown
>>> on the first mail of that thread. And even using that rights errors on
>> GPO
>>> files _are_ an issue. Otherwise that thread won't have been opened of
>>> course : )
>>>
>>> Regarding how we decided to workaround almost definitively with that was
>>> to
>>> give every users and groups in AD some xID, also those in CN=Builtin and
>>> CN=Users. We also cleaned our idmap.ldb to keep inside only special users
>>> /
>>> groups (as "local system" / S-1-5-18, "guests" / S-1-5-32-546...).
>>> We also add some rsync to keep idmap.ldb synchronized on all our DC, for
>>> these special items have same mapped xID in case they are used (and so
>>> mapped).
>>>
>>> Doing that id mapper has no reason to define by itself some xID to users
>>> and groups contained into AD as they already have some xID.
>>>
>>> Until now it seems to work fine...
>>>
>>>
>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
>>> <lingpanda101 at gmail.com>:
>>>
>>>> On 6/22/2016 8:53 AM, mj wrote:
>>>>
>>>>>
>>>>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote:
>>>>>
>>>>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN
>> like
>>>>>> others?
>>>>>>
>>>>> do you have winbind in /etc/nsswitch.conf?
>>>>>
>>>>> mj
>>>>>
>>>>>
>>>> I also thought winbind was only necessary on member servers.
>>>>
>>>> --
>>>> -James
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
If I assign every user a UID and select groups a GID by utilizing
rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb
synchronized? I'm thinking XID's are obsolete at that point?
--
-James
More information about the samba
mailing list