L.P.H. van Belle
2015-Apr-30  06:09 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Please read the reported bug and bjorn answer.. which does not help any to a
solution of fix, or explenation.
But the big question now is, does someone somewhere know what bjorn is talking
about.
i did search for "gencache" but no go here.. 
just from old documentation.
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html 
gencache.tdb  Generic caching database. 
Greetz, 
Louis
-----Oorspronkelijk bericht-----
Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] 
Verzonden: woensdag 29 april 2015 17:51
Aan: L.P.H. van Belle
Onderwerp: [Bug 11241] different ids even when idmap.ldb copied.
https://bugzilla.samba.org/show_bug.cgi?id=11241
Bj?rn Jacke <bj at sernet.de> changed:
           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED
--- Comment #1 from Bj?rn Jacke <bj at sernet.de> ---
this is not a supported thing to do, so this is not a valid bug. winbindd has a
different way of caching (investigate gencache for example) entries and this is
probably what makes that hack stop working for you with winbindd.
-- 
You are receiving this mail because:
You reported the bug.
REPORTED BUG.. 
Louis     2015-04-29 08:51:03 UTC  
Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1
with in smb.conf 
server services = -dns +winbindd -winbind
Of i set it to 
server services = -dns -winbindd +winbind 
it does work again. 
with 4.1.17 the solution was simple.. we stop samba on both servers. 
scp /var/lib/samba/private/idmap.ldb root at 192.168.0.2:/var/lib/samba/private/
started samba on both servers and 
id administrator gave the same id's for all groups. 
Now on 4.2.1
DC1:  id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),
3000004(group policy creator owners),
3000006(enterprise admins),
3000008(domain admins),
3000007(schema admins),
3000005(denied rodc password replication group),
3000009(BUILTIN\users),
3000000(BUILTIN\administrators)
id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),
3000011(group policy creator owners),
3000010(enterprise admins),
3000007(domain admins),
3000009(schema admins),
3000008(denied rodc password replication group),
3000001(BUILTIN\users),
3000000(BUILTIN\administrators)
Rowland Penny
2015-Apr-30  07:57 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
On 30/04/15 07:09, L.P.H. van Belle wrote:> Please read the reported bug and bjorn answer.. which does not help any to a solution of fix, or explenation. > But the big question now is, does someone somewhere know what bjorn is talking about. > > i did search for "gencache" but no go here.. > just from old documentation. > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html > gencache.tdb Generic caching database. > > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] > Verzonden: woensdag 29 april 2015 17:51 > Aan: L.P.H. van Belle > Onderwerp: [Bug 11241] different ids even when idmap.ldb copied. > > https://bugzilla.samba.org/show_bug.cgi?id=11241 > > Bj?rn Jacke <bj at sernet.de> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Resolution|--- |INVALID > Status|NEW |RESOLVED > > --- Comment #1 from Bj?rn Jacke <bj at sernet.de> --- > this is not a supported thing to do, so this is not a valid bug. winbindd has a > different way of caching (investigate gencache for example) entries and this is > probably what makes that hack stop working for you with winbindd. >Hi Louis, no I don't understand what Bjorn is talking about, but then I don't think that Bjorn really understands the problem. What if somebody got sysvol to replicate, you would quickly end up with a mess, if a policy was added on one DC, it would end up being owned by somebody/group on the other DC, this is a regression. Rowland
L.P.H. van Belle
2015-Apr-30  08:09 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
( sorry for mailing directly bjorn, but please have a look ) 
I still think this is a bug.. 
why not a bug:
If i do assign a UID/GID to a user, then yes, this wil work fine. 
new users and groups sure.. but now im talking about the default domain groups..
why a bug: 
User administrator and the domain groups are set by default by samba. 
and its not consistant at all which is needed for a replicated sysvol. 
yes, not supported by samba, but i hope samba is working on that, and then
this wil be an issue also, better fix it now imo. 
let met explain what i see.. 
administrator has uid 0.. 
wbinfo -i DOMAIN\\administrator
DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false 
Administrator ... and not administrator..  
so now this is my result of my sysvol... 
 ls -n
total 8
drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 internal.domain.tld
wbinfo --uid-info 0
administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
administrator and not Administrator ? 
first 2 differences in usernames :  Administrator and administrator
wbinfo --uid-info 0
administrator:*:0:100::/home/DOMAIN/administrator:/bin/false
wbinfo -i DOMAIN\\administrator
DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false
wbinfo -i DOMAIN\\Administrator
administrator:*:0:100::/home/BAZRTD/administrator:/bin/false
converted Adminsitrator to administrator.
look at the homedir..  Caps A and not caps.  so 2 different folders. 
2 different users. 
in total 3 users with uid 0 ( root, administrator and Administrator ) 
in the sysvol/internal.domain.tld : 
ls -n
total 16
drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 Policies
drwxrwx---+ 2 0 3000000 4096 Apr 28 13:32 scripts
ls -l
total 8
drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 28 13:32 internal.domain.tld
wbinfo --group-info "BUILTIN\administrators"
BUILTIN\administrators:x:3000000:
for the Policies folder :  
Policies# ls -n
total 16
drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32
{6AC1786C-016F-11D2-945F-00C04FB984F9}
wbinfo --uid-info 3000008
domain admins:*:3000008:3000008::/home/DOMAIN/domain admins:/bin/false
wbinfo --gid-info 3000008
domain admins:x:3000008:administrator
wbinfo --group-info "DOMAIN\domain admins"
domain admins:x:3000008:administrator
wbinfo --user-info "DOMAIN\domain admins"
domain admins:*:3000008:3000008::/home/BAZRTD/domain admins:/bin/false
getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/
# file: {31B2F340-016D-11D2-945F-00C04FB984F9}/
# owner: domain\040admins
# group: domain\040admins
user::rwx
group::rwx
group:3000002:rwx
group:3000003:r-x
group:enterprise\040admins:rwx
group:domain\040admins:rwx
group:3000010:r-x
mask::rwx
other::---
default:user::rwx
default:user:domain\040admins:rwx
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:enterprise\040admins:rwx
default:group:domain\040admins:rwx
default:group:3000010:r-x
default:mask::rwx
default:other::---
the user owner is the group ?  how can the user owner be a group ? 
I this allowed ?  This i really dont know. 
so i have "user" : "domain admins"
and i have group : "domain admins"
Documentation lacks here, or i really cant find it..   
anyone any comment on this ? 
Greetz, 
Louis
>-----Oorspronkelijk bericht-----
>Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] 
>Namens L.P.H. van Belle
>Verzonden: donderdag 30 april 2015 8:10
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] FW: [Bug 11241] different ids even when 
>idmap.ldb copied. not abug..
>
>Please read the reported bug and bjorn answer.. which does not 
>help any to a solution of fix, or explenation. 
>But the big question now is, does someone somewhere know what 
>bjorn is talking about. 
>
>i did search for "gencache" but no go here.. 
>just from old documentation.
>https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html 
>gencache.tdb  Generic caching database. 
>
>
>Greetz, 
>
>Louis
>
>
>-----Oorspronkelijk bericht-----
>Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] 
>Verzonden: woensdag 29 april 2015 17:51
>Aan: L.P.H. van Belle
>Onderwerp: [Bug 11241] different ids even when idmap.ldb copied.
>
>https://bugzilla.samba.org/show_bug.cgi?id=11241
>
>Bj?rn Jacke <bj at sernet.de> changed:
>
>           What    |Removed                     |Added
>---------------------------------------------------------------
>-------------
>         Resolution|---                         |INVALID
>             Status|NEW                         |RESOLVED
>
>--- Comment #1 from Bj?rn Jacke <bj at sernet.de> ---
>this is not a supported thing to do, so this is not a valid 
>bug. winbindd has a
>different way of caching (investigate gencache for example) 
>entries and this is
>probably what makes that hack stop working for you with winbindd.
>
>-- 
>You are receiving this mail because:
>You reported the bug.
>
>REPORTED BUG.. 
>
>Louis     2015-04-29 08:51:03 UTC  
>Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1
>with in smb.conf 
>server services = -dns +winbindd -winbind
>Of i set it to 
>server services = -dns -winbindd +winbind 
>it does work again. 
>
>with 4.1.17 the solution was simple.. we stop samba on both servers. 
>scp /var/lib/samba/private/idmap.ldb 
>root at 192.168.0.2:/var/lib/samba/private/
>started samba on both servers and 
>id administrator gave the same id's for all groups. 
>
>Now on 4.2.1
>DC1:  id administrator
>uid=0(root) gid=100(users) groups=0(root),100(users),
>3000004(group policy creator owners),
>3000006(enterprise admins),
>3000008(domain admins),
>3000007(schema admins),
>3000005(denied rodc password replication group),
>3000009(BUILTIN\users),
>3000000(BUILTIN\administrators)
>
>id administrator
>uid=0(root) gid=100(users) groups=0(root),100(users),
>3000011(group policy creator owners),
>3000010(enterprise admins),
>3000007(domain admins),
>3000009(schema admins),
>3000008(denied rodc password replication group),
>3000001(BUILTIN\users),
>3000000(BUILTIN\administrators)
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>
Rowland Penny
2015-Apr-30  08:31 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
On 30/04/15 09:09, L.P.H. van Belle wrote:> ( sorry for mailing directly bjorn, but please have a look ) > > I still think this is a bug.. > > why not a bug: > If i do assign a UID/GID to a user, then yes, this wil work fine. > new users and groups sure.. but now im talking about the default domain groups.. > > why a bug: > User administrator and the domain groups are set by default by samba. > and its not consistant at all which is needed for a replicated sysvol. > yes, not supported by samba, but i hope samba is working on that, and then > this wil be an issue also, better fix it now imo. > > let met explain what i see.. > > administrator has uid 0.. > wbinfo -i DOMAIN\\administrator > DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false > Administrator ... and not administrator.. > > so now this is my result of my sysvol... > ls -n > total 8 > drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 internal.domain.tld > wbinfo --uid-info 0 > administrator:*:0:100::/home/DOMAIN/administrator:/bin/false > administrator and not Administrator ? > > first 2 differences in usernames : Administrator and administratorDon't worry about that, this is just winbind normalising names> > wbinfo --uid-info 0 > administrator:*:0:100::/home/DOMAIN/administrator:/bin/false > wbinfo -i DOMAIN\\administrator > DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false > > wbinfo -i DOMAIN\\Administrator > administrator:*:0:100::/home/BAZRTD/administrator:/bin/false > converted Adminsitrator to administrator. > > look at the homedir.. Caps A and not caps. so 2 different folders. > 2 different users. > in total 3 users with uid 0 ( root, administrator and Administrator )Now that is a problem> > > in the sysvol/internal.domain.tld : > ls -n > total 16 > drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 Policies > drwxrwx---+ 2 0 3000000 4096 Apr 28 13:32 scripts > > ls -l > total 8 > drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 28 13:32 internal.domain.tld > > wbinfo --group-info "BUILTIN\administrators" > BUILTIN\administrators:x:3000000: > > for the Policies folder : > Policies# ls -n > total 16 > drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 {31B2F340-016D-11D2-945F-00C04FB984F9} > drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 {6AC1786C-016F-11D2-945F-00C04FB984F9} > > wbinfo --uid-info 3000008 > domain admins:*:3000008:3000008::/home/DOMAIN/domain admins:/bin/false > > wbinfo --gid-info 3000008 > domain admins:x:3000008:administrator > > wbinfo --group-info "DOMAIN\domain admins" > domain admins:x:3000008:administrator > > wbinfo --user-info "DOMAIN\domain admins" > domain admins:*:3000008:3000008::/home/BAZRTD/domain admins:/bin/false > > > getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/ > # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ > # owner: domain\040admins > # group: domain\040admins > user::rwx > group::rwx > group:3000002:rwx > group:3000003:r-x > group:enterprise\040admins:rwx > group:domain\040admins:rwx > group:3000010:r-x > mask::rwx > other::--- > default:user::rwx > default:user:domain\040admins:rwx > default:group::--- > default:group:3000002:rwx > default:group:3000003:r-x > default:group:enterprise\040admins:rwx > default:group:domain\040admins:rwx > default:group:3000010:r-x > default:mask::rwx > default:other::--- > > the user owner is the group ? how can the user owner be a group ? > I this allowed ? This i really dont know.Yes this a mess and is caused by stupid stupid windows allowing groups to own files, therefore you end up with ID_TYPE_BOTH in idmap.ldb. From my investigations, it is only one group that owns files: Administrators, but instead of just making this group 'ID_TYPE_BOTH', samba makes a lot of groups 'ID_TYPE_BOTH', have a look in idmap.ldb. I also tested replacing the ownership of files and dirs in sysvol, I changed 'Administrators' for 'Administrator' and changed all occurrences of 'ID_TYPE_BOTH' in idmap.ldb to what it actually is. Looking from windows, I couldn't see any difference, because (and I am no windows expert) I think that windows doesn't actually care who owns the files, it only seems to care about the ACLs. Rowland> > so i have "user" : "domain admins" > and i have group : "domain admins" > > Documentation lacks here, or i really cant find it.. > > anyone any comment on this ? > > > > Greetz, > > Louis > > > > >> -----Oorspronkelijk bericht----- >> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >> Namens L.P.H. van Belle >> Verzonden: donderdag 30 april 2015 8:10 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] FW: [Bug 11241] different ids even when >> idmap.ldb copied. not abug.. >> >> Please read the reported bug and bjorn answer.. which does not >> help any to a solution of fix, or explenation. >> But the big question now is, does someone somewhere know what >> bjorn is talking about. >> >> i did search for "gencache" but no go here.. >> just from old documentation. >> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html >> gencache.tdb Generic caching database. >> >> >> Greetz, >> >> Louis >> >> >> -----Oorspronkelijk bericht----- >> Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] >> Verzonden: woensdag 29 april 2015 17:51 >> Aan: L.P.H. van Belle >> Onderwerp: [Bug 11241] different ids even when idmap.ldb copied. >> >> https://bugzilla.samba.org/show_bug.cgi?id=11241 >> >> Bj?rn Jacke <bj at sernet.de> changed: >> >> What |Removed |Added >> --------------------------------------------------------------- >> ------------- >> Resolution|--- |INVALID >> Status|NEW |RESOLVED >> >> --- Comment #1 from Bj?rn Jacke <bj at sernet.de> --- >> this is not a supported thing to do, so this is not a valid >> bug. winbindd has a >> different way of caching (investigate gencache for example) >> entries and this is >> probably what makes that hack stop working for you with winbindd. >> >> -- >> You are receiving this mail because: >> You reported the bug. >> >> REPORTED BUG.. >> >> Louis 2015-04-29 08:51:03 UTC >> Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1 >> with in smb.conf >> server services = -dns +winbindd -winbind >> Of i set it to >> server services = -dns -winbindd +winbind >> it does work again. >> >> with 4.1.17 the solution was simple.. we stop samba on both servers. >> scp /var/lib/samba/private/idmap.ldb >> root at 192.168.0.2:/var/lib/samba/private/ >> started samba on both servers and >> id administrator gave the same id's for all groups. >> >> Now on 4.2.1 >> DC1: id administrator >> uid=0(root) gid=100(users) groups=0(root),100(users), >> 3000004(group policy creator owners), >> 3000006(enterprise admins), >> 3000008(domain admins), >> 3000007(schema admins), >> 3000005(denied rodc password replication group), >> 3000009(BUILTIN\users), >> 3000000(BUILTIN\administrators) >> >> id administrator >> uid=0(root) gid=100(users) groups=0(root),100(users), >> 3000011(group policy creator owners), >> 3000010(enterprise admins), >> 3000007(domain admins), >> 3000009(schema admins), >> 3000008(denied rodc password replication group), >> 3000001(BUILTIN\users), >> 3000000(BUILTIN\administrators) >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >>
Bjoern Jacke
2015-Apr-30  08:58 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Hi Louis, I think this is not so much related to bug 11241 but more to https://bugzilla.samba.org/show_bug.cgi?id=9837 (Administrator on AD DC shouldn't have uid 0) right? Best regards Bj?rn
L.P.H. van Belle
2015-Apr-30  09:35 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Hello Bj?rn, I can totaly agree with that, having multiple users with the same id isnt what we want, but samba needs at some point root rights, for creating folders/files. Now we have a "chicken and the egg problem" which one comes first? At install of samba files and folders are created, by root. when installed, started samba and now we can assign a uid/gid to Administrator. But at this point Administrator cannot change files/folders owned by root.. the installation script ended, and we dont know the correct uid/gids. So for all the default users and groups in the AD i really suggest we do assign dedicated uid/gids. wbinfo -g domain admins domain users domain guests domain computers enterprise admins group policy creator owners wbinfo -u administrator guest I remove some the not needed users/groups, as far is i know. imo, above should al have a dedicate uid/gid. so when all of the above do have dedicated uid/gid, we can assign the needed folders and files at install which need one of the above user/groups. and this wil help also in the development of samba in replicated sysvol. And big thanks for having a look! Greetings, Louis>-----Oorspronkelijk bericht----- >Van: Bjoern Jacke [mailto:bj at sernet.de] >Verzonden: donderdag 30 april 2015 10:59 >Aan: L.P.H. van Belle >CC: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: [Bug 11241] different ids even when >idmap.ldb copied. not abug.. > >Hi Louis, > >I think this is not so much related to bug 11241 but more to > >https://bugzilla.samba.org/show_bug.cgi?id=9837 (Administrator on AD DC >shouldn't have uid 0) > >right? > >Best regards >Bj?rn > >
L.P.H. van Belle
2015-Apr-30  10:09 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
>> >> wbinfo --uid-info 0 >> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false >> wbinfo -i DOMAIN\\administrator >> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false >> >> wbinfo -i DOMAIN\\Administrator >> administrator:*:0:100::/home/BAZRTD/administrator:/bin/false >> converted Adminsitrator to administrator. >> >> look at the homedir.. Caps A and not caps. so 2 different folders. >> 2 different users. >> in total 3 users with uid 0 ( root, administrator and Administrator ) > >Now that is a problemnow time has passed dont know how much .. and... how strange again.. root at dc1:~# wbinfo -i DOMAIN\\Administrator administrator:*:0:100::/home/DOMAIN/administrator:/bin/false root at dc1:~# wbinfo -i DOMAIN\\administrator administrator:*:0:100::/home/DOMAIN/administrator:/bin/false root at dc1:~# wbinfo --uid-info 0 administrator:*:0:100::/home/DOMAIN/administrator:/bin/false .. im thinking there is something slow in responding/modify-ing.. This is the second time i see this, but i cant figure out, the how and where.. well.. it works now.. (again) :-) im not going to hunt this one.. if you also notice this. This is what i did. for x in `ls /etc/init.d/sernet-samba-*` ; do $x restart ; done net cache flush id administrator now wait a few min and check again. Greetz, Louis>-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >Verzonden: donderdag 30 april 2015 10:32 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: [Bug 11241] different ids even when >idmap.ldb copied. not abug.. > >On 30/04/15 09:09, L.P.H. van Belle wrote: >> ( sorry for mailing directly bjorn, but please have a look ) >> >> I still think this is a bug.. >> >> why not a bug: >> If i do assign a UID/GID to a user, then yes, this wil work fine. >> new users and groups sure.. but now im talking about the >default domain groups.. >> >> why a bug: >> User administrator and the domain groups are set by default by samba. >> and its not consistant at all which is needed for a >replicated sysvol. >> yes, not supported by samba, but i hope samba is working on >that, and then >> this wil be an issue also, better fix it now imo. >> >> let met explain what i see.. >> >> administrator has uid 0.. >> wbinfo -i DOMAIN\\administrator >> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false >> Administrator ... and not administrator.. >> >> so now this is my result of my sysvol... >> ls -n >> total 8 >> drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 internal.domain.tld >> wbinfo --uid-info 0 >> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false >> administrator and not Administrator ? >> >> first 2 differences in usernames : Administrator and administrator > >Don't worry about that, this is just winbind normalising names > >> >> wbinfo --uid-info 0 >> administrator:*:0:100::/home/DOMAIN/administrator:/bin/false >> wbinfo -i DOMAIN\\administrator >> DOMAIN\Administrator:*:0:100::/home/DOMAIN/Administrator:/bin/false >> >> wbinfo -i DOMAIN\\Administrator >> administrator:*:0:100::/home/BAZRTD/administrator:/bin/false >> converted Adminsitrator to administrator. >> >> look at the homedir.. Caps A and not caps. so 2 different folders. >> 2 different users. >> in total 3 users with uid 0 ( root, administrator and Administrator ) > >Now that is a problem > >> >> >> in the sysvol/internal.domain.tld : >> ls -n >> total 16 >> drwxrwx---+ 4 0 3000000 4096 Apr 28 13:32 Policies >> drwxrwx---+ 2 0 3000000 4096 Apr 28 13:32 scripts >> >> ls -l >> total 8 >> drwxrwx---+ 4 root BUILTIN\administrators 4096 Apr 28 13:32 >internal.domain.tld >> >> wbinfo --group-info "BUILTIN\administrators" >> BUILTIN\administrators:x:3000000: >> >> for the Policies folder : >> Policies# ls -n >> total 16 >> drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 >{31B2F340-016D-11D2-945F-00C04FB984F9} >> drwxrwx---+ 4 3000008 3000008 4096 Apr 28 13:32 >{6AC1786C-016F-11D2-945F-00C04FB984F9} >> >> wbinfo --uid-info 3000008 >> domain admins:*:3000008:3000008::/home/DOMAIN/domain >admins:/bin/false >> >> wbinfo --gid-info 3000008 >> domain admins:x:3000008:administrator >> >> wbinfo --group-info "DOMAIN\domain admins" >> domain admins:x:3000008:administrator >> >> wbinfo --user-info "DOMAIN\domain admins" >> domain admins:*:3000008:3000008::/home/BAZRTD/domain >admins:/bin/false >> >> >> getfacl \{31B2F340-016D-11D2-945F-00C04FB984F9\}/ >> # file: {31B2F340-016D-11D2-945F-00C04FB984F9}/ >> # owner: domain\040admins >> # group: domain\040admins >> user::rwx >> group::rwx >> group:3000002:rwx >> group:3000003:r-x >> group:enterprise\040admins:rwx >> group:domain\040admins:rwx >> group:3000010:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:domain\040admins:rwx >> default:group::--- >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:group:enterprise\040admins:rwx >> default:group:domain\040admins:rwx >> default:group:3000010:r-x >> default:mask::rwx >> default:other::--- >> >> the user owner is the group ? how can the user owner be a group ? >> I this allowed ? This i really dont know. > >Yes this a mess and is caused by stupid stupid windows allowing groups >to own files, therefore you end up with ID_TYPE_BOTH in >idmap.ldb. From >my investigations, it is only one group that owns files: >Administrators, >but instead of just making this group 'ID_TYPE_BOTH', samba >makes a lot >of groups 'ID_TYPE_BOTH', have a look in idmap.ldb. > >I also tested replacing the ownership of files and dirs in sysvol, I >changed 'Administrators' for 'Administrator' and changed all >occurrences >of 'ID_TYPE_BOTH' in idmap.ldb to what it actually is. Looking from >windows, I couldn't see any difference, because (and I am no windows >expert) I think that windows doesn't actually care who owns the files, >it only seems to care about the ACLs. > >Rowland > >> >> so i have "user" : "domain admins" >> and i have group : "domain admins" >> >> Documentation lacks here, or i really cant find it.. >> >> anyone any comment on this ? >> >> >> >> Greetz, >> >> Louis >> >> >> >> >>> -----Oorspronkelijk bericht----- >>> Van: belle at bazuin.nl [mailto:samba-bounces at lists.samba.org] >>> Namens L.P.H. van Belle >>> Verzonden: donderdag 30 april 2015 8:10 >>> Aan: samba at lists.samba.org >>> Onderwerp: [Samba] FW: [Bug 11241] different ids even when >>> idmap.ldb copied. not abug.. >>> >>> Please read the reported bug and bjorn answer.. which does not >>> help any to a solution of fix, or explenation. >>> But the big question now is, does someone somewhere know what >>> bjorn is talking about. >>> >>> i did search for "gencache" but no go here.. >>> just from old documentation. >>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html >>> gencache.tdb Generic caching database. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> -----Oorspronkelijk bericht----- >>> Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] >>> Verzonden: woensdag 29 april 2015 17:51 >>> Aan: L.P.H. van Belle >>> Onderwerp: [Bug 11241] different ids even when idmap.ldb copied. >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=11241 >>> >>> Bj?rn Jacke <bj at sernet.de> changed: >>> >>> What |Removed |Added >>> --------------------------------------------------------------- >>> ------------- >>> Resolution|--- |INVALID >>> Status|NEW |RESOLVED >>> >>> --- Comment #1 from Bj?rn Jacke <bj at sernet.de> --- >>> this is not a supported thing to do, so this is not a valid >>> bug. winbindd has a >>> different way of caching (investigate gencache for example) >>> entries and this is >>> probably what makes that hack stop working for you with winbindd. >>> >>> -- >>> You are receiving this mail because: >>> You reported the bug. >>> >>> REPORTED BUG.. >>> >>> Louis 2015-04-29 08:51:03 UTC >>> Hai. getting same ids on 2 DC's does not work anymore on samba 4.2.1 >>> with in smb.conf >>> server services = -dns +winbindd -winbind >>> Of i set it to >>> server services = -dns -winbindd +winbind >>> it does work again. >>> >>> with 4.1.17 the solution was simple.. we stop samba on both servers. >>> scp /var/lib/samba/private/idmap.ldb >>> root at 192.168.0.2:/var/lib/samba/private/ >>> started samba on both servers and >>> id administrator gave the same id's for all groups. >>> >>> Now on 4.2.1 >>> DC1: id administrator >>> uid=0(root) gid=100(users) groups=0(root),100(users), >>> 3000004(group policy creator owners), >>> 3000006(enterprise admins), >>> 3000008(domain admins), >>> 3000007(schema admins), >>> 3000005(denied rodc password replication group), >>> 3000009(BUILTIN\users), >>> 3000000(BUILTIN\administrators) >>> >>> id administrator >>> uid=0(root) gid=100(users) groups=0(root),100(users), >>> 3000011(group policy creator owners), >>> 3000010(enterprise admins), >>> 3000007(domain admins), >>> 3000009(schema admins), >>> 3000008(denied rodc password replication group), >>> 3000001(BUILTIN\users), >>> 3000000(BUILTIN\administrators) >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Björn JACKE
2015-Apr-30  10:36 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
On 2015-04-30 at 08:57 +0100 Rowland Penny sent off:> >this is not a supported thing to do, so this is not a valid bug. winbindd has a > >different way of caching (investigate gencache for example) entries and this is > >probably what makes that hack stop working for you with winbindd. > > > > Hi Louis, no I don't understand what Bjorn is talking about, but then I > don't think that Bjorn really understands the problem. What if somebody got > sysvol to replicate, you would quickly end up with a mess, if a policy was > added on one DC, it would end up being owned by somebody/group on the other > DC, this is a regression.I see the problem that you try to solve very well. But when a hack stops working this is not a regression. There are probably ways to make your hack work again though. But it still is a (unsupported) hack, which can't be taken into consideration by Samba in a version update. Best regards Bj?rn -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen ? +49-551-370000-0, ? +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
Achim Gottinger
2015-Apr-30  10:55 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Hi Louis, Bj?rn and Rowland, Am 30.04.2015 um 08:09 schrieb L.P.H. van Belle:> Please read the reported bug and bjorn answer.. which does not help any to a solution of fix, or explenation. > But the big question now is, does someone somewhere know what bjorn is talking about. > > i did search for "gencache" but no go here.. > just from old documentation. > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html > gencache.tdb Generic caching database. > > > Greetz, > > Louis > > > -----Oorspronkelijk bericht----- > Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] > Verzonden: woensdag 29 april 2015 17:51 > Aan: L.P.H. van Belle > Onderwerp: [Bug 11241] different ids even when idmap.ldb copied. > > https://bugzilla.samba.org/show_bug.cgi?id=11241 > > Bj?rn Jacke <bj at sernet.de> changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Resolution|--- |INVALID > Status|NEW |RESOLVED > > --- Comment #1 from Bj?rn Jacke <bj at sernet.de> --- > this is not a supported thing to do, so this is not a valid bug. winbindd has a > different way of caching (investigate gencache for example) entries and this is > probably what makes that hack stop working for you with winbindd. >A quick internet search for gecache led me to an list of ldb files https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html. It's from the old samba docs, in there is an file called winbndd_idmap.tdb mentioned, can it be this is the place where winbindd stores xid mappings? I do not have an running 4.2 instance here for testing. Have an good day, Achim~
Achim Gottinger
2015-Apr-30  12:22 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
Hi again, Am 30.04.2015 um 12:55 schrieb Achim Gottinger:> Hi Louis, Bj?rn and Rowland, > > Am 30.04.2015 um 08:09 schrieb L.P.H. van Belle: >> Please read the reported bug and bjorn answer.. which does not help >> any to a solution of fix, or explenation. >> But the big question now is, does someone somewhere know what bjorn >> is talking about. >> >> i did search for "gencache" but no go here.. >> just from old documentation. >> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html >> gencache.tdb Generic caching database. >> >> >> Greetz, >> >> Louis >> >> >> -----Oorspronkelijk bericht----- >> Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] >> Verzonden: woensdag 29 april 2015 17:51 >> Aan: L.P.H. van Belle >> Onderwerp: [Bug 11241] different ids even when idmap.ldb copied. >> >> https://bugzilla.samba.org/show_bug.cgi?id=11241 >> >> Bj?rn Jacke <bj at sernet.de> changed: >> >> What |Removed |Added >> ---------------------------------------------------------------------------- >> >> Resolution|--- |INVALID >> Status|NEW |RESOLVED >> >> --- Comment #1 from Bj?rn Jacke <bj at sernet.de> --- >> this is not a supported thing to do, so this is not a valid bug. >> winbindd has a >> different way of caching (investigate gencache for example) entries >> and this is >> probably what makes that hack stop working for you with winbindd. >> > > A quick internet search for gecache led me to an list of ldb files > https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html. > It's from the old samba docs, in there is an file called > winbndd_idmap.tdb mentioned, can it be this is the place where > winbindd stores xid mappings? I do not have an running 4.2 instance > here for testing. > > Have an good day, > Achim~ >Did an quick test in an vm and there is no winbind_idmap.tdb file. But there is an /var/cache/samba/gencache.tdb file. Temoved this file with samba stopped and afterwards the changes in idmap.tdb apply. Test: root at wheezy:~# getfacl /var/lib/samba/sysvol/example.com # file: var/lib/samba/sysvol/example.com # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x root at wheezy:~#/etc/init.d/sernet-samba-ad stop root at wheezy:~#ldbedit -H /var/lib/samba/private/idmap.ldb Changed # record 6 dn: CN=CONFIG cn: CONFIG lowerBound: 3000000 upperBound: 4000000 xidNumber: 3000016 distinguishedName: CN=CONFIG Into # record 6 dn: CN=CONFIG cn: CONFIG lowerBound: 3000000 upperBound: 4000000 xidNumber: 3000017 distinguishedName: CN=CONFIG And # record 10 dn: CN=S-1-5-11 cn: S-1-5-11 objectClass: sidMap objectSid: S-1-5-11 type: ID_TYPE_BOTH xidNumber: 3000003 distinguishedName: CN=S-1-5-11 Into # record 10 dn: CN=S-1-5-11 cn: S-1-5-11 objectClass: sidMap objectSid: S-1-5-11 type: ID_TYPE_BOTH xidNumber: 3000017 distinguishedName: CN=S-1-5-11 Started samba and ran sysvolreset root at wheezy:~#/etc/init.d/sernet-samba-ad start root at wheezy:~#samba-tool ntacl sysvolreset Nothing changed. root at wheezy:~# getfacl /var/lib/samba/sysvol/example.com # file: var/lib/samba/sysvol/example.com # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x Stopped samba removed gencache root at wheezy:~#/etc/init.d/sernet-samba-ad stop root at wheezy:~#rm /var/cache/samba/gencache* Started samba and ran sysvolreset root at wheezy:~#/etc/init.d/sernet-samba-ad start root at wheezy:~#samba-tool ntacl sysvolreset Changes applied now the last line now show the xid i changed in idmap.ldb. root at wheezy:~# getfacl /var/lib/samba/sysvol/example.com # file: var/lib/samba/sysvol/example.com # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000017:r-x So the idmap.ldb copying should still work with the addition that /var/cache/samba/gencache.tdb must be deleted if winbindd is in use. Achim~
L.P.H. van Belle
2015-Apr-30  12:59 UTC
[Samba] FW: [Bug 11241] different ids even when idmap.ldbcopied. not abug.. (SOLVED)
Hello Achim, Ok, thank you for looking into this. Its clear now where the problem was. Thank you, my sysvol replication script is working fine now again with samba 4.2.1 ( found here : https://secure.bazuin.nl/scripts/3-setup-sysvol-bidirectional.sh ) upped version 1.0.6. added te remove of gencache.tdb on the second DC. tested with debian wheezy (sernet) samba 4.1.x (winbind) and 4.2.1. (winbind and winbindd) Thanks ! Greetz, Louis>-----Oorspronkelijk bericht----- >Van: achim at ag-web.biz [mailto:samba-bounces at lists.samba.org] >Namens Achim Gottinger >Verzonden: donderdag 30 april 2015 14:23 >Aan: samba at lists.samba.org >Onderwerp: Re: [Samba] FW: [Bug 11241] different ids even when >idmap.ldb copied. not abug.. > >Hi again, >Am 30.04.2015 um 12:55 schrieb Achim Gottinger: >> Hi Louis, Bj?rn and Rowland, >> >> Am 30.04.2015 um 08:09 schrieb L.P.H. van Belle: >>> Please read the reported bug and bjorn answer.. which does not help >>> any to a solution of fix, or explenation. >>> But the big question now is, does someone somewhere know what bjorn >>> is talking about. >>> >>> i did search for "gencache" but no go here.. >>> just from old documentation. >>> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html >>> gencache.tdb Generic caching database. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>> -----Oorspronkelijk bericht----- >>> Van: samba-bugs at samba.org [mailto:samba-bugs at samba.org] >>> Verzonden: woensdag 29 april 2015 17:51 >>> Aan: L.P.H. van Belle >>> Onderwerp: [Bug 11241] different ids even when idmap.ldb copied. >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=11241 >>> >>> Bj?rn Jacke <bj at sernet.de> changed: >>> >>> What |Removed |Added >>> >--------------------------------------------------------------- >------------- >>> >>> Resolution|--- |INVALID >>> Status|NEW |RESOLVED >>> >>> --- Comment #1 from Bj?rn Jacke <bj at sernet.de> --- >>> this is not a supported thing to do, so this is not a valid bug. >>> winbindd has a >>> different way of caching (investigate gencache for example) entries >>> and this is >>> probably what makes that hack stop working for you with winbindd. >>> >> >> A quick internet search for gecache led me to an list of ldb files >> >https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/tdb.html. >> It's from the old samba docs, in there is an file called >> winbndd_idmap.tdb mentioned, can it be this is the place where >> winbindd stores xid mappings? I do not have an running 4.2 instance >> here for testing. >> >> Have an good day, >> Achim~ >> >Did an quick test in an vm and there is no winbind_idmap.tdb file. But >there is an /var/cache/samba/gencache.tdb file. Temoved this >file with >samba stopped and afterwards the changes in idmap.tdb apply. > >Test: > >root at wheezy:~# getfacl /var/lib/samba/sysvol/example.com ># file: var/lib/samba/sysvol/example.com ># owner: root ># group: 3000000 >user::rwx >user:root:rwx >user:3000000:rwx >user:3000001:r-x >user:3000002:rwx >user:3000003:r-x > >root at wheezy:~#/etc/init.d/sernet-samba-ad stop >root at wheezy:~#ldbedit -H /var/lib/samba/private/idmap.ldb > >Changed > ># record 6 >dn: CN=CONFIG >cn: CONFIG >lowerBound: 3000000 >upperBound: 4000000 >xidNumber: 3000016 >distinguishedName: CN=CONFIG > >Into > ># record 6 >dn: CN=CONFIG >cn: CONFIG >lowerBound: 3000000 >upperBound: 4000000 >xidNumber: 3000017 >distinguishedName: CN=CONFIG > >And > ># record 10 >dn: CN=S-1-5-11 >cn: S-1-5-11 >objectClass: sidMap >objectSid: S-1-5-11 >type: ID_TYPE_BOTH >xidNumber: 3000003 >distinguishedName: CN=S-1-5-11 > >Into > ># record 10 >dn: CN=S-1-5-11 >cn: S-1-5-11 >objectClass: sidMap >objectSid: S-1-5-11 >type: ID_TYPE_BOTH >xidNumber: 3000017 >distinguishedName: CN=S-1-5-11 > >Started samba and ran sysvolreset > >root at wheezy:~#/etc/init.d/sernet-samba-ad start >root at wheezy:~#samba-tool ntacl sysvolreset > >Nothing changed. > >root at wheezy:~# getfacl /var/lib/samba/sysvol/example.com ># file: var/lib/samba/sysvol/example.com ># owner: root ># group: 3000000 >user::rwx >user:root:rwx >user:3000000:rwx >user:3000001:r-x >user:3000002:rwx >user:3000003:r-x > >Stopped samba removed gencache > >root at wheezy:~#/etc/init.d/sernet-samba-ad stop >root at wheezy:~#rm /var/cache/samba/gencache* > >Started samba and ran sysvolreset > >root at wheezy:~#/etc/init.d/sernet-samba-ad start >root at wheezy:~#samba-tool ntacl sysvolreset > >Changes applied now the last line now show the xid i changed >in idmap.ldb. > >root at wheezy:~# getfacl /var/lib/samba/sysvol/example.com ># file: var/lib/samba/sysvol/example.com ># owner: root ># group: 3000000 >user::rwx >user:root:rwx >user:3000000:rwx >user:3000001:r-x >user:3000002:rwx >user:3000017:r-x > >So the idmap.ldb copying should still work with the addition that >/var/cache/samba/gencache.tdb must be deleted if winbindd is in use. > >Achim~ > > > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba > >
Maybe Matching Threads
- FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
- FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
- FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
- FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
- Samba 4.5.3 AD DC - issues with sysvol when setting up Group Policies