On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote:> Why is is when I do a getfacl I do not see the mapping of BUILTIN like > others?do you have winbind in /etc/nsswitch.conf? mj
On 6/22/2016 8:53 AM, mj wrote:> > > On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote: >> Why is is when I do a getfacl I do not see the mapping of BUILTIN like >> others? > > do you have winbind in /etc/nsswitch.conf? > > mj >No. cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: compat group: compat shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis -- -James
On 6/22/2016 8:53 AM, mj wrote:> > > On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote: >> Why is is when I do a getfacl I do not see the mapping of BUILTIN like >> others? > > do you have winbind in /etc/nsswitch.conf? > > mj >I also thought winbind was only necessary on member servers. -- -James
@LPH van Belle I did tried (and still use) "acl_xattr:ignore system acls = yes" as shown on the first mail of that thread. And even using that rights errors on GPO files _are_ an issue. Otherwise that thread won't have been opened of course : ) Regarding how we decided to workaround almost definitively with that was to give every users and groups in AD some xID, also those in CN=Builtin and CN=Users. We also cleaned our idmap.ldb to keep inside only special users / groups (as "local system" / S-1-5-18, "guests" / S-1-5-32-546...). We also add some rsync to keep idmap.ldb synchronized on all our DC, for these special items have same mapped xID in case they are used (and so mapped). Doing that id mapper has no reason to define by itself some xID to users and groups contained into AD as they already have some xID. Until now it seems to work fine... 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com <lingpanda101 at gmail.com>:> On 6/22/2016 8:53 AM, mj wrote: > >> >> >> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote: >> >>> Why is is when I do a getfacl I do not see the mapping of BUILTIN like >>> others? >>> >> >> do you have winbind in /etc/nsswitch.conf? >> >> mj >> >> > I also thought winbind was only necessary on member servers. > > -- > -James > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 22/06/16 14:09, lingpanda101 at gmail.com wrote:> On 6/22/2016 8:53 AM, mj wrote: >> >> >> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote: >>> Why is is when I do a getfacl I do not see the mapping of BUILTIN like >>> others? >> >> do you have winbind in /etc/nsswitch.conf? >> >> mj >> > > I also thought winbind was only necessary on member servers. >MY understanding is that you need winbind in /etc/nsswitch.conf whenever you want AD users or groups to be known to the underlying Unix OS. Rowland
My understanding also.. but on an ADDC . When your typing to test : getent passwd ( needs nsswitch.conf changed ) id username ( needs nsswitch.conf changed ) wbinfo -u No changes needed. Just depends what you want to see when and where.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: woensdag 22 juni 2016 16:13 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Rights issue on GPO > > On 22/06/16 14:09, lingpanda101 at gmail.com wrote: > > On 6/22/2016 8:53 AM, mj wrote: > >> > >> > >> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote: > >>> Why is is when I do a getfacl I do not see the mapping of BUILTIN like > >>> others? > >> > >> do you have winbind in /etc/nsswitch.conf? > >> > >> mj > >> > > > > I also thought winbind was only necessary on member servers. > > > > MY understanding is that you need winbind in /etc/nsswitch.conf whenever > you want AD users or groups to be known to the underlying Unix OS. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
@Mathias, Pretty strange then, running some years like this without any problem. Yes we had few problems with "rights" in sysvol, but i fixed this all outside linux, and with that i mean. Changed rights from within windows or added registry changes or patches, or a local clean up of the policies. At the install of my DC2 i also synced the idmap.ldb, and then a net idmap flush on both servers to make my both dc's in sync. And i keep it in sync with my rsync/unison setup. All new added, but i'll keep an eye also in this and i'll recheck my logs. But i dont think i'll find anything here. I'll keep notice on your "workaround". Which backend are you using matias? Mine : (idmap config NTDOMAIN : backend = ad) Gr. Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens mathias dufresne > Verzonden: woensdag 22 juni 2016 15:31 > Aan: lingpanda101 at gmail.com > CC: samba > Onderwerp: Re: [Samba] Rights issue on GPO > > @LPH van Belle > I did tried (and still use) "acl_xattr:ignore system acls = yes" as shown > on the first mail of that thread. And even using that rights errors on GPO > files _are_ an issue. Otherwise that thread won't have been opened of > course : ) > > Regarding how we decided to workaround almost definitively with that was > to > give every users and groups in AD some xID, also those in CN=Builtin and > CN=Users. We also cleaned our idmap.ldb to keep inside only special users > / > groups (as "local system" / S-1-5-18, "guests" / S-1-5-32-546...). > We also add some rsync to keep idmap.ldb synchronized on all our DC, for > these special items have same mapped xID in case they are used (and so > mapped). > > Doing that id mapper has no reason to define by itself some xID to users > and groups contained into AD as they already have some xID. > > Until now it seems to work fine... > > > 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com > <lingpanda101 at gmail.com>: > > > On 6/22/2016 8:53 AM, mj wrote: > > > >> > >> > >> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com wrote: > >> > >>> Why is is when I do a getfacl I do not see the mapping of BUILTIN like > >>> others? > >>> > >> > >> do you have winbind in /etc/nsswitch.conf? > >> > >> mj > >> > >> > > I also thought winbind was only necessary on member servers. > > > > -- > > -James > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba