[Samba] Rights issue on GPO
Rowland penny
rpenny at samba.org
Fri Jun 24 19:24:06 UTC 2016
On 24/06/16 19:47, lingpanda101 at gmail.com wrote:
> On 6/24/2016 11:40 AM, mathias dufresne wrote:
>>
>>
>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com>>:
>>
>> On 6/22/2016 12:21 PM, mathias dufresne wrote:
>>
>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl
>> <mailto:belle at bazuin.nl>>:
>>
>> @Mathias,
>>
>> Pretty strange then, running some years like this without
>> any problem.
>> Yes we had few problems with "rights" in sysvol, but i
>> fixed this all
>> outside linux, and with that i mean. Changed rights from
>> within windows or
>> added registry changes or patches, or a local clean up of
>> the policies.
>>
>> At the install of my DC2 i also synced the idmap.ldb, and
>> then a
>> net idmap flush on both servers to make my both dc's in
>> sync.
>> And i keep it in sync with my rsync/unison setup.
>>
>> All new added, but i'll keep an eye also in this and i'll
>> recheck my logs.
>> But i dont think i'll find anything here.
>> I'll keep notice on your "workaround".
>>
>> Which backend are you using matias?
>> Mine : (idmap config NTDOMAIN : backend = ad)
>>
>>
>> Gr.
>>
>> Louis
>>
>>
>> OK you keep idmap.ldb synched, that's what I missed until few
>> days and was
>> the reason that is was not working.
>> Our choice to give each and users and groups into AD some xID
>> is only to
>> avoid usage of mapping. I expect the synchronization of
>> idmap.ldb (if done
>> often enough) would be sufficient. But I don't always like
>> magic : )
>>
>> Thank you for precisions !
>>
>>
>> Cheers all
>>
>>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org
>> <mailto:samba-bounces at lists.samba.org>] Namens mathias
>>
>> dufresne
>>
>> Verzonden: woensdag 22 juni 2016 15:31
>> Aan: lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com>
>> CC: samba
>> Onderwerp: Re: [Samba] Rights issue on GPO
>>
>> @LPH van Belle
>> I did tried (and still use) "acl_xattr:ignore system
>> acls = yes" as shown
>> on the first mail of that thread. And even using that
>> rights errors on
>>
>> GPO
>>
>> files _are_ an issue. Otherwise that thread won't have
>> been opened of
>> course : )
>>
>> Regarding how we decided to workaround almost
>> definitively with that was
>> to
>> give every users and groups in AD some xID, also those
>> in CN=Builtin and
>> CN=Users. We also cleaned our idmap.ldb to keep inside
>> only special users
>> /
>> groups (as "local system" / S-1-5-18, "guests" /
>> S-1-5-32-546...).
>> We also add some rsync to keep idmap.ldb synchronized
>> on all our DC, for
>> these special items have same mapped xID in case they
>> are used (and so
>> mapped).
>>
>> Doing that id mapper has no reason to define by itself
>> some xID to users
>> and groups contained into AD as they already have some
>> xID.
>>
>> Until now it seems to work fine...
>>
>>
>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com>
>> <lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com>>:
>>
>> On 6/22/2016 8:53 AM, mj wrote:
>>
>>
>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com
>> <mailto:lingpanda101 at gmail.com> wrote:
>>
>> Why is is when I do a getfacl I do not see
>> the mapping of BUILTIN
>>
>> like
>>
>> others?
>>
>> do you have winbind in /etc/nsswitch.conf?
>>
>> mj
>>
>>
>> I also thought winbind was only necessary on
>> member servers.
>>
>> --
>> -James
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following
>> URL and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL
>> and read the
>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> If I assign every user a UID and select groups a GID by utilizing
>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb
>> synchronized? I'm thinking XID's are obsolete at that point?
>>
>>
>> Only users and groups in AD will avoid id mapper by that workaround.
>> But there are others accounts ("local system", "guest", "local
>> administrator"...) all these accounts exist on MS Windows clients,
>> and so they can all do stuff on Sysvol and so they can all go through
>> id mapper.
>>
>> So no. There no way (for me at least :) to totally avoid id mapper
>> and so you should keep idmap.ldb synched.
>>
>>
>>
>>
>> -- -James
>>
>>
>> -- To unsubscribe from this list go to the following URL and
>> read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> I'm in the process now of creating a script to sync idmap.ldb. Does
> anyone have one at the moment? Is it best practice to stop samba
> before replacing idmap.ldb on the additional DC's? My script will
> currently watch for any idmap.ldb changes and create a hot backup if a
> change is detected. It will then send to the other DC's via rsync. I'm
> thinking starting and stopping samba isn't ideal during production hours.
>
If you are running Samba >= 4.2.0 with the separate 'winbindd' binary,
there is no reason to sync idmap.ldb. Syncing idmap was/is only required
if you use 'winbind' that is built into the 'samba' binary.
Rowland
More information about the samba
mailing list