samba - Mar 2022 - idmap range

Am 23.03.22 um 11:57 schrieb Rowland Penny via samba:
>> What do I set idmap range to while NOT breaking the existing
>> users/groups?
> 
> Nothing, you do not need to add anything.
great
>> Will that help me to get correct ACL editing perms again?
> 
> No, you seem to have another problem. Is this a DC that doesn't hold
> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and
> idmap.ldb from the PDC_Emulator DC ?
I found a thread around that ... and will check for that asap.

Sure, I sync sysvol for years, and remember syncing idmap.ldb years ago. 
But I haven't touched that for a long time.

So I will check after lunch and report back.

Am 23.03.22 um 12:17 schrieb Stefan G. Weichinger via
samba:
> Am 23.03.22 um 11:57 schrieb Rowland Penny via samba:
> 
>>> What do I set idmap range to while NOT breaking the existing
>>> users/groups?
>>
>> Nothing, you do not need to add anything.
> 
> great
> 
>>> Will that help me to get correct ACL editing perms again?
>>
>> No, you seem to have another problem. Is this a DC that doesn't
hold
>> the PDC_Emulator FSMO role ? If so, have you synced Sysvol and
>> idmap.ldb from the PDC_Emulator DC ?
> 
> I found a thread around that ... and will check for that asap.
> 
> Sure, I sync sysvol for years, and remember syncing idmap.ldb years ago. 
> But I haven't touched that for a long time.
checked things:

2 DCs "backup" and "dc2" (don't ask ;-) ).

dc2 is the one with the PDC_Emulator FSMO role.

"backup" rsyncs sysvol from "dc2".

I rsynced dc2:/var/lib/samba/private/idmap.ldb over to "backup", and 
restarted the samba-ad-dc.service


"samba-tool ntacl sysvolreset"  on dc2 tells



idmap range not specified for domain '*'
idmap range not specified for domain '*'

(dozens of lines, then:)


ndr_pull_uint16: ndr_pull_error(Buffer Size Error): Pull bytes 2 
(../../librpc/ndr/ndr_basic.c:136) at ../../librpc/ndr/ndr_basic.c:136
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
ERROR(runtime): uncaught exception - (3221225507, '{Buffer Too Small} 
The buffer is too small to contain the entry. No information has been 
written to the buffer.')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
412, in run
     provision.setsysvolacl(samdb, netlogon, sysvol,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1747, in setsysvolacl
     _setntacl(os.path.join(root, name))
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1736, in _setntacl
     return setntacl(
   File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 230, in
setntacl
     smbd.set_nt_acl(


I assume I would have to fix the ACLs on "dc2" and rsync syncs the 
corrected permissions over.