[Samba] Rights issue on GPO

mathias dufresne infractory at gmail.com
Thu Jun 30 13:02:44 UTC 2016

Hi Achim,

Thank you, yes that clarifies things.

So until the feature to get user names resolved also for security account
(local system, authenticated users, everyone... those described here:
https://support.microsoft.com/en-us/kb/243330) there is no way to be sure
rights are the same on all DC except to synchronize idmap.ldb. Clear enough
: )

2016-06-30 12:33 GMT+02:00 Achim Gottinger <achim at ag-web.biz>:

> Am 30.06.2016 um 12:00 schrieb mathias dufresne:
>> Sorry to ask that but this thread is quite long and that makes
>> understanding difficult, at least to me. What is the status of all that? I
>> believe at one moment it was writtent using winbindd is solution, that
>> with
>> winbindd instead of winbind we don't need to synchronize idmap.ldb to get
>> GPOs working well even with numerous DCs.
>> Please do answer by "yes" or "no". If you reply, any of you, I'd like a
>> clear résumé of all that. I understand that request would need time to be
>> written, more than answering yes or no, and I would understand if no one
>> wants to take that time.
>> 2016-06-29 17:10 GMT+02:00 Rowland penny <rpenny at samba.org>:
>> Hello Matthias,
> With the switch from winbind to winbindd libnss-winbind is able to resolve
> BUILTIN groups/users to proper names and not just gid's.
> For  the sysvol folder beside BUILTIN groups also "Well known security
> principal groups" are  used, these do not resolve to names and no gid's
> uid's can be assigned to them unlike normal domain groups.
> There is also an problem with the rsync method described in the samba
> wiki, user and group mapping does not work at all. Even for normal groups
> in /etc/group with different gid's on different servers. Rsync always
> simply copies the gid's (uid's). An workaroud is to use rsync via ssh
> (rsync -XAavz -e ssh root at dc1:/var/lib/samba/sysvol/
> /var/lib/samba/sysvol/).
> But for the sysvol share this will only map the builtin groups correct.
> For gpo's the access rights are stored in the active directory tree using
> the groups sid's. If you run "samba-tool ntacl sysvolreset" on the server
> you synced sysvol to, the rights stored in the ad tree are applied to the
> sysvol share's posix acl's with help of the local idmap.ldb so this will
> assign the correct acl's for the "Well known security principal groups" as
> well because the sid->gid/uid mappings stored in the local idmap.ldb are
> now used. This does also work if winbind is/was used instead of winbindd.
> To get rid of eighter syncing idmap.ldb or running "samba-tool ntacl
> sysvolreset" on each dc after rsync, the "Well known security principal
> groups" must resolve to names like the BUILTIN groups. I filed an
> enhancement request for that
> https://bugzilla.samba.org/show_bug.cgi?id=11997.
> Hope that clarifies things,
> achim~
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list