[Samba] Rights issue on GPO

Rowland penny rpenny at samba.org
Fri Jun 24 19:24:06 UTC 2016


On 24/06/16 19:47, lingpanda101 at gmail.com wrote:
> On 6/24/2016 11:40 AM, mathias dufresne wrote:
>>
>>
>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com 
>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com 
>> <mailto:lingpanda101 at gmail.com>>:
>>
>>     On 6/22/2016 12:21 PM, mathias dufresne wrote:
>>
>>         2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl
>>         <mailto:belle at bazuin.nl>>:
>>
>>             @Mathias,
>>
>>             Pretty strange then, running some years like this without
>>             any problem.
>>             Yes we had few problems with "rights" in sysvol, but i
>>             fixed this all
>>             outside linux, and with that i mean. Changed rights from
>>             within windows or
>>             added registry changes or patches, or a local clean up of
>>             the policies.
>>
>>             At the install of my DC2 i also synced the idmap.ldb, and
>>             then a
>>             net idmap flush on both servers to make my both dc's in 
>> sync.
>>             And i keep it in sync with my rsync/unison setup.
>>
>>             All new added, but i'll keep an eye also in this and i'll
>>             recheck my logs.
>>             But i dont think i'll find anything here.
>>             I'll keep notice on your "workaround".
>>
>>             Which backend are you using matias?
>>             Mine : (idmap config NTDOMAIN : backend = ad)
>>
>>
>>             Gr.
>>
>>             Louis
>>
>>
>>         OK you keep idmap.ldb synched, that's what I missed until few
>>         days and was
>>         the reason that is was not working.
>>         Our choice to give each and users and groups into AD some xID
>>         is only to
>>         avoid usage of mapping. I expect the synchronization of
>>         idmap.ldb (if done
>>         often enough) would be sufficient. But I don't always like
>>         magic : )
>>
>>         Thank you for precisions !
>>
>>
>>         Cheers all
>>
>>
>>                 -----Oorspronkelijk bericht-----
>>                 Van: samba [mailto:samba-bounces at lists.samba.org
>>                 <mailto:samba-bounces at lists.samba.org>] Namens mathias
>>
>>             dufresne
>>
>>                 Verzonden: woensdag 22 juni 2016 15:31
>>                 Aan: lingpanda101 at gmail.com
>>                 <mailto:lingpanda101 at gmail.com>
>>                 CC: samba
>>                 Onderwerp: Re: [Samba] Rights issue on GPO
>>
>>                 @LPH van Belle
>>                 I did tried (and still use) "acl_xattr:ignore system
>>                 acls = yes" as shown
>>                 on the first mail of that thread. And even using that
>>                 rights errors on
>>
>>             GPO
>>
>>                 files _are_ an issue. Otherwise that thread won't have
>>                 been opened of
>>                 course : )
>>
>>                 Regarding how we decided to workaround almost
>>                 definitively with that was
>>                 to
>>                 give every users and groups in AD some xID, also those
>>                 in CN=Builtin and
>>                 CN=Users. We also cleaned our idmap.ldb to keep inside
>>                 only special users
>>                 /
>>                 groups (as "local system" / S-1-5-18, "guests" /
>>                 S-1-5-32-546...).
>>                 We also add some rsync to keep idmap.ldb synchronized
>>                 on all our DC, for
>>                 these special items have same mapped xID in case they
>>                 are used (and so
>>                 mapped).
>>
>>                 Doing that id mapper has no reason to define by itself
>>                 some xID to users
>>                 and groups contained into AD as they already have some
>>                 xID.
>>
>>                 Until now it seems to work fine...
>>
>>
>>                 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
>>                 <mailto:lingpanda101 at gmail.com>
>>                 <lingpanda101 at gmail.com 
>> <mailto:lingpanda101 at gmail.com>>:
>>
>>                     On 6/22/2016 8:53 AM, mj wrote:
>>
>>
>>                         On 06/22/2016 02:44 PM, lingpanda101 at gmail.com
>>                         <mailto:lingpanda101 at gmail.com> wrote:
>>
>>                             Why is is when I do a getfacl I do not see
>>                             the mapping of BUILTIN
>>
>>             like
>>
>>                             others?
>>
>>                         do you have winbind in /etc/nsswitch.conf?
>>
>>                         mj
>>
>>
>>                     I also thought winbind was only necessary on
>>                     member servers.
>>
>>                     --
>>                     -James
>>
>>
>>
>>                     --
>>                     To unsubscribe from this list go to the following
>>                     URL and read the
>>                     instructions:
>> https://lists.samba.org/mailman/options/samba
>>
>>                 --
>>                 To unsubscribe from this list go to the following URL
>>                 and read the
>>                 instructions:
>>                 https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>             --
>>             To unsubscribe from this list go to the following URL and
>>             read the
>>             instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>     If I assign every user a UID and select groups a GID by utilizing
>>     rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb
>>     synchronized? I'm thinking XID's are obsolete at that point?
>>
>>
>> Only users and groups in AD will avoid id mapper by that workaround. 
>> But there are others accounts ("local system", "guest", "local 
>> administrator"...) all these accounts exist on MS Windows clients, 
>> and so they can all do stuff on Sysvol and so they can all go through 
>> id mapper.
>>
>> So no. There no way (for me at least :) to totally avoid id mapper 
>> and so you should keep idmap.ldb synched.
>>
>>
>>
>>
>>     --     -James
>>
>>
>>     --     To unsubscribe from this list go to the following URL and 
>> read the
>>     instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
> I'm in the process now of creating a script to sync idmap.ldb. Does 
> anyone have one at the moment? Is it best practice to stop samba 
> before replacing idmap.ldb on the additional DC's? My script will 
> currently watch for any idmap.ldb changes and create a hot backup if a 
> change is detected. It will then send to the other DC's via rsync. I'm 
> thinking starting and stopping samba isn't ideal during production hours.
>

If you are running Samba >= 4.2.0 with the separate 'winbindd' binary, 
there is no reason to sync idmap.ldb. Syncing idmap was/is only required 
if you use 'winbind' that is built into the 'samba' binary.

Rowland




More information about the samba mailing list