[Samba] Rights issue on GPO
achim at ag-web.biz
Thu Jun 30 10:33:42 UTC 2016
Am 30.06.2016 um 12:00 schrieb mathias dufresne:
> Sorry to ask that but this thread is quite long and that makes
> understanding difficult, at least to me. What is the status of all that? I
> believe at one moment it was writtent using winbindd is solution, that with
> winbindd instead of winbind we don't need to synchronize idmap.ldb to get
> GPOs working well even with numerous DCs.
> Please do answer by "yes" or "no". If you reply, any of you, I'd like a
> clear résumé of all that. I understand that request would need time to be
> written, more than answering yes or no, and I would understand if no one
> wants to take that time.
> 2016-06-29 17:10 GMT+02:00 Rowland penny <rpenny at samba.org>:
With the switch from winbind to winbindd libnss-winbind is able to
resolve BUILTIN groups/users to proper names and not just gid's.
For the sysvol folder beside BUILTIN groups also "Well known security
principal groups" are used, these do not resolve to names and no gid's
uid's can be assigned to them unlike normal domain groups.
There is also an problem with the rsync method described in the samba
wiki, user and group mapping does not work at all. Even for normal
groups in /etc/group with different gid's on different servers. Rsync
always simply copies the gid's (uid's). An workaroud is to use rsync via
ssh (rsync -XAavz -e ssh root at dc1:/var/lib/samba/sysvol/
But for the sysvol share this will only map the builtin groups correct.
For gpo's the access rights are stored in the active directory tree
using the groups sid's. If you run "samba-tool ntacl sysvolreset" on the
server you synced sysvol to, the rights stored in the ad tree are
applied to the sysvol share's posix acl's with help of the local
idmap.ldb so this will assign the correct acl's for the "Well known
security principal groups" as well because the sid->gid/uid mappings
stored in the local idmap.ldb are now used. This does also work if
winbind is/was used instead of winbindd.
To get rid of eighter syncing idmap.ldb or running "samba-tool ntacl
sysvolreset" on each dc after rsync, the "Well known security principal
groups" must resolve to names like the BUILTIN groups. I filed an
enhancement request for that
Hope that clarifies things,
More information about the samba