[Samba] Rights issue on GPO

Achim Gottinger achim at ag-web.biz
Thu Jun 30 10:33:42 UTC 2016

Am 30.06.2016 um 12:00 schrieb mathias dufresne:
> Sorry to ask that but this thread is quite long and that makes
> understanding difficult, at least to me. What is the status of all that? I
> believe at one moment it was writtent using winbindd is solution, that with
> winbindd instead of winbind we don't need to synchronize idmap.ldb to get
> GPOs working well even with numerous DCs.
> Please do answer by "yes" or "no". If you reply, any of you, I'd like a
> clear résumé of all that. I understand that request would need time to be
> written, more than answering yes or no, and I would understand if no one
> wants to take that time.
> 2016-06-29 17:10 GMT+02:00 Rowland penny <rpenny at samba.org>:
Hello Matthias,

With the switch from winbind to winbindd libnss-winbind is able to 
resolve BUILTIN groups/users to proper names and not just gid's.
For  the sysvol folder beside BUILTIN groups also "Well known security 
principal groups" are  used, these do not resolve to names and no gid's 
uid's can be assigned to them unlike normal domain groups.
There is also an problem with the rsync method described in the samba 
wiki, user and group mapping does not work at all. Even for normal 
groups in /etc/group with different gid's on different servers. Rsync 
always simply copies the gid's (uid's). An workaroud is to use rsync via 
ssh (rsync -XAavz -e ssh root at dc1:/var/lib/samba/sysvol/ 
But for the sysvol share this will only map the builtin groups correct.
For gpo's the access rights are stored in the active directory tree 
using the groups sid's. If you run "samba-tool ntacl sysvolreset" on the 
server you synced sysvol to, the rights stored in the ad tree are 
applied to the sysvol share's posix acl's with help of the local 
idmap.ldb so this will assign the correct acl's for the "Well known 
security principal groups" as well because the sid->gid/uid mappings 
stored in the local idmap.ldb are now used. This does also work if 
winbind is/was used instead of winbindd.
To get rid of eighter syncing idmap.ldb or running "samba-tool ntacl 
sysvolreset" on each dc after rsync, the "Well known security principal 
groups" must resolve to names like the BUILTIN groups. I filed an 
enhancement request for that 

Hope that clarifies things,

More information about the samba mailing list