[Samba] idmap range

Stefan G. Weichinger lists at xunil.at
Wed Mar 23 12:01:36 UTC 2022

Am 23.03.22 um 12:17 schrieb Stefan G. Weichinger via samba:
> Am 23.03.22 um 11:57 schrieb Rowland Penny via samba:
>>> What do I set idmap range to while NOT breaking the existing
>>> users/groups?
>> Nothing, you do not need to add anything.
> great
>>> Will that help me to get correct ACL editing perms again?
>> No, you seem to have another problem. Is this a DC that doesn't hold
>> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and
>> idmap.ldb from the PDC_Emulator DC ?
> I found a thread around that ... and will check for that asap.
> Sure, I sync sysvol for years, and remember syncing idmap.ldb years ago. 
> But I haven't touched that for a long time.

checked things:

2 DCs "backup" and "dc2" (don't ask ;-) ).

dc2 is the one with the PDC_Emulator FSMO role.

"backup" rsyncs sysvol from "dc2".

I rsynced dc2:/var/lib/samba/private/idmap.ldb over to "backup", and 
restarted the samba-ad-dc.service

"samba-tool ntacl sysvolreset"  on dc2 tells

idmap range not specified for domain '*'
idmap range not specified for domain '*'

(dozens of lines, then:)

ndr_pull_uint16: ndr_pull_error(Buffer Size Error): Pull bytes 2 
(../../librpc/ndr/ndr_basic.c:136) at ../../librpc/ndr/ndr_basic.c:136
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} 
The buffer is too small to contain the entry. No information has been 
written to the buffer.')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
412, in run
     provision.setsysvolacl(samdb, netlogon, sysvol,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1747, in setsysvolacl
     _setntacl(os.path.join(root, name))
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1736, in _setntacl
     return setntacl(
   File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 230, in 

I assume I would have to fix the ACLs on "dc2" and rsync syncs the 
corrected permissions over.

More information about the samba mailing list