[Samba] Rights issue on GPO
Rowland penny
rpenny at samba.org
Sat Jun 25 08:24:27 UTC 2016
On 24/06/16 22:08, Achim Gottinger wrote:
>
>
> Am 24.06.2016 um 22:35 schrieb Achim Gottinger:
>>
>>
>> Am 24.06.2016 um 21:24 schrieb Rowland penny:
>>> On 24/06/16 19:47, lingpanda101 at gmail.com wrote:
>>>> On 6/24/2016 11:40 AM, mathias dufresne wrote:
>>>>>
>>>>>
>>>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com
>>>>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com
>>>>> <mailto:lingpanda101 at gmail.com>>:
>>>>>
>>>>> On 6/22/2016 12:21 PM, mathias dufresne wrote:
>>>>>
>>>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl
>>>>> <mailto:belle at bazuin.nl>>:
>>>>>
>>>>> @Mathias,
>>>>>
>>>>> Pretty strange then, running some years like this without
>>>>> any problem.
>>>>> Yes we had few problems with "rights" in sysvol, but i
>>>>> fixed this all
>>>>> outside linux, and with that i mean. Changed rights from
>>>>> within windows or
>>>>> added registry changes or patches, or a local clean up of
>>>>> the policies.
>>>>>
>>>>> At the install of my DC2 i also synced the idmap.ldb, and
>>>>> then a
>>>>> net idmap flush on both servers to make my both dc's
>>>>> in sync.
>>>>> And i keep it in sync with my rsync/unison setup.
>>>>>
>>>>> All new added, but i'll keep an eye also in this and i'll
>>>>> recheck my logs.
>>>>> But i dont think i'll find anything here.
>>>>> I'll keep notice on your "workaround".
>>>>>
>>>>> Which backend are you using matias?
>>>>> Mine : (idmap config NTDOMAIN : backend = ad)
>>>>>
>>>>>
>>>>> Gr.
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>> OK you keep idmap.ldb synched, that's what I missed until few
>>>>> days and was
>>>>> the reason that is was not working.
>>>>> Our choice to give each and users and groups into AD some xID
>>>>> is only to
>>>>> avoid usage of mapping. I expect the synchronization of
>>>>> idmap.ldb (if done
>>>>> often enough) would be sufficient. But I don't always like
>>>>> magic : )
>>>>>
>>>>> Thank you for precisions !
>>>>>
>>>>>
>>>>> Cheers all
>>>>>
>>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org
>>>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias
>>>>>
>>>>> dufresne
>>>>>
>>>>> Verzonden: woensdag 22 juni 2016 15:31
>>>>> Aan: lingpanda101 at gmail.com
>>>>> <mailto:lingpanda101 at gmail.com>
>>>>> CC: samba
>>>>> Onderwerp: Re: [Samba] Rights issue on GPO
>>>>>
>>>>> @LPH van Belle
>>>>> I did tried (and still use) "acl_xattr:ignore system
>>>>> acls = yes" as shown
>>>>> on the first mail of that thread. And even using that
>>>>> rights errors on
>>>>>
>>>>> GPO
>>>>>
>>>>> files _are_ an issue. Otherwise that thread won't
>>>>> have
>>>>> been opened of
>>>>> course : )
>>>>>
>>>>> Regarding how we decided to workaround almost
>>>>> definitively with that was
>>>>> to
>>>>> give every users and groups in AD some xID, also
>>>>> those
>>>>> in CN=Builtin and
>>>>> CN=Users. We also cleaned our idmap.ldb to keep
>>>>> inside
>>>>> only special users
>>>>> /
>>>>> groups (as "local system" / S-1-5-18, "guests" /
>>>>> S-1-5-32-546...).
>>>>> We also add some rsync to keep idmap.ldb synchronized
>>>>> on all our DC, for
>>>>> these special items have same mapped xID in case they
>>>>> are used (and so
>>>>> mapped).
>>>>>
>>>>> Doing that id mapper has no reason to define by
>>>>> itself
>>>>> some xID to users
>>>>> and groups contained into AD as they already have
>>>>> some
>>>>> xID.
>>>>>
>>>>> Until now it seems to work fine...
>>>>>
>>>>>
>>>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com
>>>>> <mailto:lingpanda101 at gmail.com>
>>>>> <lingpanda101 at gmail.com
>>>>> <mailto:lingpanda101 at gmail.com>>:
>>>>>
>>>>> On 6/22/2016 8:53 AM, mj wrote:
>>>>>
>>>>>
>>>>> On 06/22/2016 02:44 PM,
>>>>> lingpanda101 at gmail.com
>>>>> <mailto:lingpanda101 at gmail.com> wrote:
>>>>>
>>>>> Why is is when I do a getfacl I do not
>>>>> see
>>>>> the mapping of BUILTIN
>>>>>
>>>>> like
>>>>>
>>>>> others?
>>>>>
>>>>> do you have winbind in /etc/nsswitch.conf?
>>>>>
>>>>> mj
>>>>>
>>>>>
>>>>> I also thought winbind was only necessary on
>>>>> member servers.
>>>>>
>>>>> --
>>>>> -James
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following
>>>>> URL and read the
>>>>> instructions:
>>>>> https://lists.samba.org/mailman/options/samba
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL
>>>>> and read the
>>>>> instructions:
>>>>> https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> To unsubscribe from this list go to the following URL and
>>>>> read the
>>>>> instructions:
>>>>> https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>> If I assign every user a UID and select groups a GID by utilizing
>>>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb
>>>>> synchronized? I'm thinking XID's are obsolete at that point?
>>>>>
>>>>>
>>>>> Only users and groups in AD will avoid id mapper by that
>>>>> workaround. But there are others accounts ("local system",
>>>>> "guest", "local administrator"...) all these accounts exist on MS
>>>>> Windows clients, and so they can all do stuff on Sysvol and so
>>>>> they can all go through id mapper.
>>>>>
>>>>> So no. There no way (for me at least :) to totally avoid id mapper
>>>>> and so you should keep idmap.ldb synched.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> -- -James
>>>>>
>>>>>
>>>>> -- To unsubscribe from this list go to the following URL
>>>>> and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>
>>>> I'm in the process now of creating a script to sync idmap.ldb. Does
>>>> anyone have one at the moment? Is it best practice to stop samba
>>>> before replacing idmap.ldb on the additional DC's? My script will
>>>> currently watch for any idmap.ldb changes and create a hot backup
>>>> if a change is detected. It will then send to the other DC's via
>>>> rsync. I'm thinking starting and stopping samba isn't ideal during
>>>> production hours.
>>>>
>>>
>>> If you are running Samba >= 4.2.0 with the separate 'winbindd'
>>> binary, there is no reason to sync idmap.ldb. Syncing idmap was/is
>>> only required if you use 'winbind' that is built into the 'samba'
>>> binary.
>>>
>>> Rowland
>>>
>>>
>> Hello Rowland,
>>
>> If you take an look on your sysvol rights there are two still
>> unresoved groups SECURITY\Local System and SECURITY\Autheticated
>> Users. These show up with gid's from idmap.ldb in the acl list and
>> therefore can not be mapped during rsync. So at least these two
>> groups need idntical mapping on all dc's. It is however not
>> neccessary to keep idmap in sync as long as no ther security groups
>> are used.
>>
>> achim~
>>
> To be more specific the groups belongig to "WellKnown Security
> Principals" are not mapped. I called them security groups above.
> See here for an list:
> https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx#BKMK_AuthenticatedUser
>
>
I know all of the above, and you seem to be using fixes that had to be
used with a Samba 4 AD DC that used the 'winbind' part of the 'samba'
binary.
When Samba 4.2.0 came out, 'winbind' was replaced with the separate
'winbindd' binary (the same one used on a domain member). This means
that, even though an AD object may be mapped to a number, the DC knows
what AD object that is.
This means you do not need to sync idmap.ldb between DCs if you use
Samba >= 4.2.0 with the separate 'winbindd' binary.
Rowland
More information about the samba
mailing list