[Samba] idmap range
Stefan G. Weichinger
lists at xunil.at
Thu Mar 24 18:29:10 UTC 2022
Am 23.03.22 um 13:01 schrieb Stefan G. Weichinger via samba:
> Am 23.03.22 um 12:17 schrieb Stefan G. Weichinger via samba:
>> Am 23.03.22 um 11:57 schrieb Rowland Penny via samba:
>>
>>>> What do I set idmap range to while NOT breaking the existing
>>>> users/groups?
>>>
>>> Nothing, you do not need to add anything.
>>
>> great
>>
>>>> Will that help me to get correct ACL editing perms again?
>>>
>>> No, you seem to have another problem. Is this a DC that doesn't hold
>>> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and
>>> idmap.ldb from the PDC_Emulator DC ?
>>
>> I found a thread around that ... and will check for that asap.
>>
>> Sure, I sync sysvol for years, and remember syncing idmap.ldb years
>> ago. But I haven't touched that for a long time.
>
> checked things:
>
> 2 DCs "backup" and "dc2" (don't ask ;-) ).
>
> dc2 is the one with the PDC_Emulator FSMO role.
>
> "backup" rsyncs sysvol from "dc2".
>
> I rsynced dc2:/var/lib/samba/private/idmap.ldb over to "backup", and
> restarted the samba-ad-dc.service
>
>
> "samba-tool ntacl sysvolreset" on dc2 tells
>
>
>
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
>
> (dozens of lines, then:)
>
>
> ndr_pull_uint16: ndr_pull_error(Buffer Size Error): Pull bytes 2
> (../../librpc/ndr/ndr_basic.c:136) at ../../librpc/ndr/ndr_basic.c:136
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
> ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small}
> The buffer is too small to contain the entry. No information has been
> written to the buffer.')
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
> 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 412, in run
> provision.setsysvolacl(samdb, netlogon, sysvol,
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1747, in setsysvolacl
> _setntacl(os.path.join(root, name))
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1736, in _setntacl
> return setntacl(
> File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 230, in
> setntacl
> smbd.set_nt_acl(
>
>
> I assume I would have to fix the ACLs on "dc2" and rsync syncs the
> corrected permissions over.
How can I proceed here? Did I miss anything obvious?
Editing GPOs worked before.
More information about the samba
mailing list