[Samba] samba-tool ntacl sysvol check errors (samba 4.7.4 AD DC)

Kacper Wirski kacper.wirski at gmail.com
Thu Jan 11 12:47:12 UTC 2018

To answer my own question:

I solved it (I think).

There were 2 causes basically:

1) I had messed up idmap.ldb on DC's (one with PDC FSMO was fine, the 
other two had more-or-less wrong mappings). I simply:

created hot backup of idmap.ldb on DC1, stopped samba on other dc's, and 
overwritten idmap.ldb there.

the above solved issue of GPO not being accessed

2) sysvolcheck was a bit trickier, but after reading some of the 
archives i realized, that "proper" way is for DOMAIN ADMINS to be owner 
as user and group. I had previously setup GUID in RSAT for domain 
admins, and DC's use rfc.

I removed GUID for this group, run net cache flush on each DC and on DC1 
i ran sysvolreset. All acl (with getfacl) look OK, and sysvolcheck 
returns 0 error.

domain admins is now the owner as user and group of Policies.

If anyone has some comment if there's some mistake in what I did and if 
I might end up getting some errors in the future, I'd be more than glad 
to hear it.

Also I have a related question:

let's suppose i don't set UID or GID for group/user in domain and let 
samba DC dynamically add it to idmap.ldb

Then let's suppose I want to add this user as ACL to GPO "xyz". DC with 
PDC is guaranteed to make correct mapping since it's the one that I'm 
configuring GPO on, but what's keeping other DC's to use same mapping? 
Is it just that idmap increments +1 for every new user? I think there is 
room for error, when more than 1 user/group is added at a time, before 
they manage to replicate to other DC's, then order in which local 
idmapping is done might be different on DC's.  I tested it yesterday in 
test environment: I added 2 users to DC3 with no UID, and on DC3 and DC2 
they were mapped to 3000127 (1st) 3000128 (2nd), and on DC1 1st(3000128 
and 2nd 3000127. Then, obviously, when I applied ACL for user 1st, after 
sysvol rsynced to dc2 and dc3, they had messed up mappings - copying 
idmap.ldb from DC1 again solved this issue.

So question: how can You prevent such scenario? Are you supposed to 
periodically "sync" idmap.ldb from one DC to others to keep mappings in 
order? Is using RFC option for assigining UID/GID the only way?



More information about the samba mailing list