[Samba] Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies

Jonathan Hunter jmhunter1 at gmail.com
Mon Jan 16 00:38:27 UTC 2017 

Thank you Rowland, that was indeed a good explanation and helped me
get further along with this.

I realised that my DCs didn't have winbind correctly configured
(either in nsswitch.conf or via nss winbind links), which explains
some of the issues I was having :) so many thanks for your prompting
here. It has helped, even though I'm separately still stuck with bug
12363 for the moment.

(I've also updated the wiki page for libnss/winbind by adding debian
on raspberry pi - might hopefully help someone in the future)

On 14 January 2017 at 18:04, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> On Sat, 14 Jan 2017 17:09:47 +0000
> Jonathan Hunter via samba <samba at lists.samba.org> wrote:
>
>> Hi All,
>>
>> Trying to avoid making this into a "Me too" response :) but this is
>> the single largest issue I have with Samba at the moment, I've
>> struggled with this for literally years, both before I switched to
>> rfc2307 (which did help in many areas) and since switching. I am
>> following this thread with great interest, in the hope that I can get
>> my GPOs working, too.
>>
>> Currently I've hit a different issue (Samba bug ID 12363) that has
>> stopped me from being able to debug this further; but suffice to say -
>> I feel your pain.
>>
>> I am particularly interested in the interaction between giving 'Domain
>> Users' its own GID, and having GPOs stored in sysvol on the DCs, which
>> is historically the place that has the most trouble with user mappings
>> etc. (that is why I initially switched to rfc2307, and subsequently
>> demoted my main file server from being a DC, also)
>
> If you only have Samba AD DCs and Windows clients, you do not need to
> give any group a gidNumber. It is only when you throw Unix domain
> members in to the mix AND use the winbind 'ad' backend, that you need
> to give Domain Users a gidNumber.
>
>>
>> If we don't give built-in groups their own UID/GID though, then how do
>> we ensure consistency between multiple DCs and also member
>> fileservers? This is probably the area of samba I'm least expert on
>> (uids, XIDs, rfc2307, idmap, file servers vs DCs, etc..)
>>
>
> Samba AD DCs use idmap.ldb to store the mappings between SIDs and
> xidNumbers, the numbers are always in the '3000000' range. They are
> also allocated on a first come basis, when a user or group first
> contacts a Samba DC it is allocated the next xidNumber, this is why
> you are not sure to get the same ID number on every DC. This is not a
> problem however, as each DC knows the xidNumber for the the group. So
> if you rsync sysvol between DCs and then run sysvolrest, the correct
> xidNumber for that DC will be set. You can also copy idmap.ldb between
> DCs as well, but I don't see the point.
>
> The only way to get consistent IDs for the users and groups that matter,
> is to use the winbind 'ad' backend. This means giving users a unique
> UidNumber and Domain Users a gidNumber. These numbers will be used on
> DCs instead of the xidNumbers and on Unix domain members provided that
> the 'idmap config' lines are set up correctly.
> This is what I use on domain members:
>
>     idmap config *:backend = tdb
>     idmap config *:range = 2000-9999
>     ## map ids from the domain  the ranges may not overlap !
>     idmap config SAMDOM : backend = ad
>     idmap config SAMDOM : schema_mode = rfc2307
>     idmap config SAMDOM : range = 10000-999999
>
> The '*' range is for the well known SIDs (Domain Admins,
> Administrators etc)
> The 'SAMDOM' range is for the DOMAIN users & groups that you create and
> Domain Users.
>
> It doesn't really matter what ID the well known SIDs get, as long as the
> Unix machine knows which SID the ID belongs to.
>
> Hope this help, but feel free to ask questions.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list