[Samba] Rights issue on GPO

mathias dufresne infractory at gmail.com
Fri Jun 24 15:40:18 UTC 2016


2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com <lingpanda101 at gmail.com>:

> On 6/22/2016 12:21 PM, mathias dufresne wrote:
>
>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:
>>
>> @Mathias,
>>>
>>> Pretty strange then, running some years like this without any problem.
>>> Yes we had few problems with "rights" in sysvol, but i fixed this all
>>> outside linux, and with that i mean. Changed rights from within windows
>>> or
>>> added registry changes or patches, or a local clean up of the policies.
>>>
>>> At the install of my DC2 i also synced the idmap.ldb, and then a
>>> net idmap flush on both servers to make my both dc's in sync.
>>> And i keep it in sync with my rsync/unison setup.
>>>
>>> All new added, but i'll keep an eye also in this and i'll recheck my
>>> logs.
>>> But i dont think i'll find anything here.
>>> I'll keep notice on your "workaround".
>>>
>>> Which backend are you using matias?
>>> Mine : (idmap config NTDOMAIN : backend = ad)
>>>
>>>
>>> Gr.
>>>
>>> Louis
>>>
>>>
>>> OK you keep idmap.ldb synched, that's what I missed until few days and
>> was
>> the reason that is was not working.
>> Our choice to give each and users and groups into AD some xID is only to
>> avoid usage of mapping. I expect the synchronization of idmap.ldb (if done
>> often enough) would be sufficient. But I don't always like magic : )
>>
>> Thank you for precisions !
>>
>>
>> Cheers all
>>
>>
>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias
>>>>
>>> dufresne
>>>
>>>> Verzonden: woensdag 22 juni 2016 15:31
>>>> Aan: lingpanda101 at gmail.com
>>>> CC: samba
>>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>>
>>>> @LPH van Belle
>>>> I did tried (and still use) "acl_xattr:ignore system acls = yes" as
>>>> shown
>>>> on the first mail of that thread. And even using that rights errors on
>>>>
>>> GPO
>>>
>>>> files _are_ an issue. Otherwise that thread won't have been opened of
>>>> course : )
>>>>
>>>> Regarding how we decided to workaround almost definitively with that was
>>>> to
>>>> give every users and groups in AD some xID, also those in CN=Builtin and
>>>> CN=Users. We also cleaned our idmap.ldb to keep inside only special
>>>> users
>>>> /
>>>> groups (as "local system" / S-1-5-18, "guests" / S-1-5-32-546...).
>>>> We also add some rsync to keep idmap.ldb synchronized on all our DC, for
>>>> these special items have same mapped xID in case they are used (and so
>>>> mapped).
>>>>
>>>> Doing that id mapper has no reason to define by itself some xID to users
>>>> and groups contained into AD as they already have some xID.
>>>>
>>>> Until now it seems to work fine...
>>>>
>>>>
>>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
>>>> <lingpanda101 at gmail.com>:
>>>>
>>>> On 6/22/2016 8:53 AM, mj wrote:
>>>>>
>>>>>
>>>>>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote:
>>>>>>
>>>>>> Why is is when I do a getfacl I do not see the mapping of BUILTIN
>>>>>>>
>>>>>> like
>>>
>>>> others?
>>>>>>>
>>>>>>> do you have winbind in /etc/nsswitch.conf?
>>>>>>
>>>>>> mj
>>>>>>
>>>>>>
>>>>>> I also thought winbind was only necessary on member servers.
>>>>>
>>>>> --
>>>>> -James
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
> If I assign every user a UID and select groups a GID by utilizing rfc2307
> on my DC's. Would I still benefit from keeping idmap.ldb synchronized? I'm
> thinking XID's are obsolete at that point?


Only users and groups in AD will avoid id mapper by that workaround. But
there are others accounts ("local system", "guest", "local
administrator"...) all these accounts exist on MS Windows clients, and so
they can all do stuff on Sysvol and so they can all go through id mapper.

So no. There no way (for me at least :) to totally avoid id mapper and so
you should keep idmap.ldb synched.




>
>
> --
> -James
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list