[Samba] Rights issue on GPO
Achim Gottinger
achim at ag-web.biz
Fri Jun 24 21:08:12 UTC 2016
Am 24.06.2016 um 22:35 schrieb Achim Gottinger:
>
>
> Am 24.06.2016 um 21:24 schrieb Rowland penny:
>> On 24/06/16 19:47, lingpanda101 at gmail.com wrote:
>>> On 6/24/2016 11:40 AM, mathias dufresne wrote:
>>>>
>>>>
>>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com
>>>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com
>>>> <mailto:lingpanda101 at gmail.com>>:
>>>>
>>>> On 6/22/2016 12:21 PM, mathias dufresne wrote:
>>>>
>>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl
>>>> <mailto:belle at bazuin.nl>>:
>>>>
>>>> @Mathias,
>>>>
>>>> Pretty strange then, running some years like this without
>>>> any problem.
>>>> Yes we had few problems with "rights" in sysvol, but i
>>>> fixed this all
>>>> outside linux, and with that i mean. Changed rights from
>>>> within windows or
>>>> added registry changes or patches, or a local clean up of
>>>> the policies.
>>>>
>>>> At the install of my DC2 i also synced the idmap.ldb, and
>>>> then a
>>>> net idmap flush on both servers to make my both dc's in
>>>> sync.
>>>> And i keep it in sync with my rsync/unison setup.
>>>>
>>>> All new added, but i'll keep an eye also in this and i'll
>>>> recheck my logs.
>>>> But i dont think i'll find anything here.
>>>> I'll keep notice on your "workaround".
>>>>
>>>> Which backend are you using matias?
>>>> Mine : (idmap config NTDOMAIN : backend = ad)
>>>>
>>>>
>>>> Gr.
>>>>
>>>> Louis
>>>>
>>>>
>>>> OK you keep idmap.ldb synched, that's what I missed until few
>>>> days and was
>>>> the reason that is was not working.
>>>> Our choice to give each and users and groups into AD some xID
>>>> is only to
>>>> avoid usage of mapping. I expect the synchronization of
>>>> idmap.ldb (if done
>>>> often enough) would be sufficient. But I don't always like
>>>> magic : )
>>>>
>>>> Thank you for precisions !
>>>>
>>>>
>>>> Cheers all
>>>>
>>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org
>>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias
>>>>
>>>> dufresne
>>>>
>>>> Verzonden: woensdag 22 juni 2016 15:31
>>>> Aan: lingpanda101 at gmail.com
>>>> <mailto:lingpanda101 at gmail.com>
>>>> CC: samba
>>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>>
>>>> @LPH van Belle
>>>> I did tried (and still use) "acl_xattr:ignore system
>>>> acls = yes" as shown
>>>> on the first mail of that thread. And even using that
>>>> rights errors on
>>>>
>>>> GPO
>>>>
>>>> files _are_ an issue. Otherwise that thread won't have
>>>> been opened of
>>>> course : )
>>>>
>>>> Regarding how we decided to workaround almost
>>>> definitively with that was
>>>> to
>>>> give every users and groups in AD some xID, also those
>>>> in CN=Builtin and
>>>> CN=Users. We also cleaned our idmap.ldb to keep inside
>>>> only special users
>>>> /
>>>> groups (as "local system" / S-1-5-18, "guests" /
>>>> S-1-5-32-546...).
>>>> We also add some rsync to keep idmap.ldb synchronized
>>>> on all our DC, for
>>>> these special items have same mapped xID in case they
>>>> are used (and so
>>>> mapped).
>>>>
>>>> Doing that id mapper has no reason to define by itself
>>>> some xID to users
>>>> and groups contained into AD as they already have some
>>>> xID.
>>>>
>>>> Until now it seems to work fine...
>>>>
>>>>
>>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
>>>> <mailto:lingpanda101 at gmail.com>
>>>> <lingpanda101 at gmail.com
>>>> <mailto:lingpanda101 at gmail.com>>:
>>>>
>>>> On 6/22/2016 8:53 AM, mj wrote:
>>>>
>>>>
>>>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com
>>>> <mailto:lingpanda101 at gmail.com> wrote:
>>>>
>>>> Why is is when I do a getfacl I do not see
>>>> the mapping of BUILTIN
>>>>
>>>> like
>>>>
>>>> others?
>>>>
>>>> do you have winbind in /etc/nsswitch.conf?
>>>>
>>>> mj
>>>>
>>>>
>>>> I also thought winbind was only necessary on
>>>> member servers.
>>>>
>>>> --
>>>> -James
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following
>>>> URL and read the
>>>> instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL
>>>> and read the
>>>> instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and
>>>> read the
>>>> instructions:
>>>> https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>> If I assign every user a UID and select groups a GID by utilizing
>>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb
>>>> synchronized? I'm thinking XID's are obsolete at that point?
>>>>
>>>>
>>>> Only users and groups in AD will avoid id mapper by that
>>>> workaround. But there are others accounts ("local system", "guest",
>>>> "local administrator"...) all these accounts exist on MS Windows
>>>> clients, and so they can all do stuff on Sysvol and so they can all
>>>> go through id mapper.
>>>>
>>>> So no. There no way (for me at least :) to totally avoid id mapper
>>>> and so you should keep idmap.ldb synched.
>>>>
>>>>
>>>>
>>>>
>>>> -- -James
>>>>
>>>>
>>>> -- To unsubscribe from this list go to the following URL
>>>> and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>> I'm in the process now of creating a script to sync idmap.ldb. Does
>>> anyone have one at the moment? Is it best practice to stop samba
>>> before replacing idmap.ldb on the additional DC's? My script will
>>> currently watch for any idmap.ldb changes and create a hot backup if
>>> a change is detected. It will then send to the other DC's via rsync.
>>> I'm thinking starting and stopping samba isn't ideal during
>>> production hours.
>>>
>>
>> If you are running Samba >= 4.2.0 with the separate 'winbindd'
>> binary, there is no reason to sync idmap.ldb. Syncing idmap was/is
>> only required if you use 'winbind' that is built into the 'samba'
>> binary.
>>
>> Rowland
>>
>>
> Hello Rowland,
>
> If you take an look on your sysvol rights there are two still
> unresoved groups SECURITY\Local System and SECURITY\Autheticated
> Users. These show up with gid's from idmap.ldb in the acl list and
> therefore can not be mapped during rsync. So at least these two groups
> need idntical mapping on all dc's. It is however not neccessary to
> keep idmap in sync as long as no ther security groups are used.
>
> achim~
>
To be more specific the groups belongig to "WellKnown Security
Principals" are not mapped. I called them security groups above.
See here for an list:
https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx#BKMK_AuthenticatedUser
More information about the samba
mailing list