On 01/04/2021 18:08, Jake Black via samba wrote:> We are trying to set up Microsoft's AGPM to control GPOs. When we push
a GPO from the client, it sets some permissions on the GPO but only pushes the
change to one DC. We have rsync-based replication configured to sync the sysvol
across all DCs. However the permission changes of the GPO do not change on the
other DCs until after running a sysvolreset. Additionally, sysvolreset does not
completely set all the permissions that were on the other DCs. Let me explain.
>
> For example I push a GPO to DC1 via AGPM and it results in the following
ACLs:
>
> # getfacl
/var/lib/samba/sysvol/DOMAIN.com/Policies/\{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4\}/
> getfacl: Removing leading '/' from absolute path names
> # file:
var/lib/samba/sysvol/DOMAIN.com/Policies/{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4}/
> # owner: 3000032
> # group: 3000000
> user::rwx
> user:3000000:rwx
> user:3000004:rwx
> user:3000016:rwx
> user:3000017:r-x
> user:3000022:r-x
> user:3000033:rwx
> user:3000049:r-x
> user:3000050:rwx
> group::rwx
> group:3000000:rwx
> group:3000004:rwx
> group:3000016:rwx
> group:3000017:r-x
> group:3000022:r-x
> group:3000032:rwx
> group:3000033:rwx
> group:3000049:r-x
> group:3000050:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000004:rwx
> default:user:3000016:rwx
> default:user:3000017:r-x
> default:user:3000022:r-x
> default:user:3000032:rwx
> default:user:3000033:rwx
> default:user:3000049:r-x
> default:user:3000050:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000004:rwx
> default:group:3000016:rwx
> default:group:3000017:r-x
> default:group:3000022:r-x
> default:group:3000032:rwx
> default:group:3000033:rwx
> default:group:3000049:r-x
> default:group:3000050:rwx
> default:mask::rwx
> default:other::---
>
> Interestingly, 3000050 doesn't have a uid or gid, but I can see
it's sid:
>
> # wbinfo --uid-info 3000050
> failed to call wbcGetpwuid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for uid 3000050
>
> # wbinfo --gid-info 3000050
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000050
>
> # wbinfo -G 3000050
> S-1-5-21-1040850661-3690500864-832160619-3106
>
> So now I force a sync of the sysvol directory to DC2. And see the following
ACLs on DC2:
>
> # getfacl
/var/lib/samba/sysvol/DOMAIN.com/Policies/\{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4\}/
> getfacl: Removing leading '/' from absolute path names
> # file:
var/lib/samba/sysvol/DOMAIN.com/Policies/{3FDF1BFB-3B78-4E43-8140-FFF34678B8F4}/
> # owner: 3000000
> # group: 3000000
> user::rwx
> user:3000004:rwx
> user:3000016:rwx
> user:3000017:r-x
> user:3000022:r-x
> group::rwx
> group:3000000:rwx
> group:3000004:rwx
> group:3000016:rwx
> group:3000017:r-x
> group:3000022:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000004:rwx
> default:user:3000016:rwx
> default:user:3000017:r-x
> default:user:3000022:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000004:rwx
> default:group:3000016:rwx
> default:group:3000017:r-x
> default:group:3000022:r-x
> default:mask::rwx
> default:other::---
>
> Group Policy editor tells me that the permissions on the GPO are
inconsistent with what is in the SYSVOL folder.
>
> Running samba-tool ntacl sysvolreset on DC2 changes these ACLs to match
what they should be:
>
> # getfacl
/var/lib/samba/sysvol/DOMAIN.com/Policies/\{950CFB36-1BA3-4D67-8E12-F0790E938A76\}/
> getfacl: Removing leading '/' from absolute path names
> # file:
var/lib/samba/sysvol/DOMAIN.com/Policies/{950CFB36-1BA3-4D67-8E12-F0790E938A76}/
> # owner: 3000032
> # group: 3000000
> user::rwx
> user:3000004:rwx
> user:3000016:rwx
> user:3000017:r-x
> user:3000022:r-x
> user:3000032:rwx
> user:3000033:rwx
> user:3000062:r-x
> user:3000063:rwx
> group::rwx
> group:3000000:rwx
> group:3000004:rwx
> group:3000016:rwx
> group:3000017:r-x
> group:3000022:r-x
> group:3000032:rwx
> group:3000033:rwx
> group:3000062:r-x
> group:3000063:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000004:rwx
> default:user:3000016:rwx
> default:user:3000017:r-x
> default:user:3000022:r-x
> default:user:3000032:rwx
> default:user:3000033:rwx
> default:user:3000062:r-x
> default:user:3000063:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000004:rwx
> default:group:3000016:rwx
> default:group:3000017:r-x
> default:group:3000022:r-x
> default:group:3000032:rwx
> default:group:3000033:rwx
> default:group:3000062:r-x
> default:group:3000063:rwx
> default:mask::rwx
> default:other::---
>
> I see here, that 3000062 and 3000063 were added, but 3000049 and 3000050
were not. But these ACLs are correct and what they should be and everything
seems happy with the GPO permissions.
>
> If I run a sysvolreset on DC1 now, it removes 3000049 and 3000050 and adds
3000062 and 3000063 to match what is on DC2.
>
> Since sysvolreset didn't pull the permissions from what was on DC1,
where is it gathering what permissions to set? This seems to be working
correctly and a sysvolreset solves our issues so we don't really have any
complaints, but is it really required everytime we change the permissions on a
GPO?
>
> Thanks,
>
> Jake
Have you synced idmap.ldb from the first DC to the other DC ?
If you haven't, then you can and will have different ID's on each DC.
Rowland