[Samba] idmap range

Stefan G. Weichinger lists at xunil.at
Thu Mar 24 18:29:10 UTC 2022 

Am 23.03.22 um 13:01 schrieb Stefan G. Weichinger via samba:
> Am 23.03.22 um 12:17 schrieb Stefan G. Weichinger via samba:
>> Am 23.03.22 um 11:57 schrieb Rowland Penny via samba:
>>
>>>> What do I set idmap range to while NOT breaking the existing
>>>> users/groups?
>>>
>>> Nothing, you do not need to add anything.
>>
>> great
>>
>>>> Will that help me to get correct ACL editing perms again?
>>>
>>> No, you seem to have another problem. Is this a DC that doesn't hold
>>> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and
>>> idmap.ldb from the PDC_Emulator DC ?
>>
>> I found a thread around that ... and will check for that asap.
>>
>> Sure, I sync sysvol for years, and remember syncing idmap.ldb years 
>> ago. But I haven't touched that for a long time.
> 
> checked things:
> 
> 2 DCs "backup" and "dc2" (don't ask ;-) ).
> 
> dc2 is the one with the PDC_Emulator FSMO role.
> 
> "backup" rsyncs sysvol from "dc2".
> 
> I rsynced dc2:/var/lib/samba/private/idmap.ldb over to "backup", and 
> restarted the samba-ad-dc.service
> 
> 
> "samba-tool ntacl sysvolreset"  on dc2 tells
> 
> 
> 
> idmap range not specified for domain '*'
> idmap range not specified for domain '*'
> 
> (dozens of lines, then:)
> 
> 
> ndr_pull_uint16: ndr_pull_error(Buffer Size Error): Pull bytes 2 
> (../../librpc/ndr/ndr_basic.c:136) at ../../librpc/ndr/ndr_basic.c:136
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
> ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} 
> The buffer is too small to contain the entry. No information has been 
> written to the buffer.')
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
> 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
> 412, in run
>      provision.setsysvolacl(samdb, netlogon, sysvol,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
> line 1747, in setsysvolacl
>      _setntacl(os.path.join(root, name))
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
> line 1736, in _setntacl
>      return setntacl(
>    File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 230, in 
> setntacl
>      smbd.set_nt_acl(
> 
> 
> I assume I would have to fix the ACLs on "dc2" and rsync syncs the 
> corrected permissions over.

How can I proceed here? Did I miss anything obvious?

Editing GPOs worked before.

More information about the samba mailing list