[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Rowland Penny rpenny at samba.org
Sat Jan 14 18:04:42 UTC 2017

On Sat, 14 Jan 2017 17:09:47 +0000
Jonathan Hunter via samba <samba at lists.samba.org> wrote:

> Hi All,
> Trying to avoid making this into a "Me too" response :) but this is
> the single largest issue I have with Samba at the moment, I've
> struggled with this for literally years, both before I switched to
> rfc2307 (which did help in many areas) and since switching. I am
> following this thread with great interest, in the hope that I can get
> my GPOs working, too.
> Currently I've hit a different issue (Samba bug ID 12363) that has
> stopped me from being able to debug this further; but suffice to say -
> I feel your pain.
> I am particularly interested in the interaction between giving 'Domain
> Users' its own GID, and having GPOs stored in sysvol on the DCs, which
> is historically the place that has the most trouble with user mappings
> etc. (that is why I initially switched to rfc2307, and subsequently
> demoted my main file server from being a DC, also)

If you only have Samba AD DCs and Windows clients, you do not need to
give any group a gidNumber. It is only when you throw Unix domain
members in to the mix AND use the winbind 'ad' backend, that you need
to give Domain Users a gidNumber.
> If we don't give built-in groups their own UID/GID though, then how do
> we ensure consistency between multiple DCs and also member
> fileservers? This is probably the area of samba I'm least expert on
> (uids, XIDs, rfc2307, idmap, file servers vs DCs, etc..)

Samba AD DCs use idmap.ldb to store the mappings between SIDs and
xidNumbers, the numbers are always in the '3000000' range. They are
also allocated on a first come basis, when a user or group first
contacts a Samba DC it is allocated the next xidNumber, this is why
you are not sure to get the same ID number on every DC. This is not a
problem however, as each DC knows the xidNumber for the the group. So
if you rsync sysvol between DCs and then run sysvolrest, the correct
xidNumber for that DC will be set. You can also copy idmap.ldb between
DCs as well, but I don't see the point.

The only way to get consistent IDs for the users and groups that matter,
is to use the winbind 'ad' backend. This means giving users a unique
UidNumber and Domain Users a gidNumber. These numbers will be used on
DCs instead of the xidNumbers and on Unix domain members provided that
the 'idmap config' lines are set up correctly.
This is what I use on domain members:

    idmap config *:backend = tdb
    idmap config *:range = 2000-9999
    ## map ids from the domain  the ranges may not overlap !
    idmap config SAMDOM : backend = ad
    idmap config SAMDOM : schema_mode = rfc2307
    idmap config SAMDOM : range = 10000-999999

The '*' range is for the well known SIDs (Domain Admins,
Administrators etc) 
The 'SAMDOM' range is for the DOMAIN users & groups that you create and
Domain Users.

It doesn't really matter what ID the well known SIDs get, as long as the
Unix machine knows which SID the ID belongs to.

Hope this help, but feel free to ask questions.


More information about the samba mailing list