Hi, On 8 November 2015 at 10:49, Michael Adam <obnox at samba.org> wrote:> This is how it works in rsync:[...]> I have always used rsync to replicate the sysvol. > And always used local xids. But being mainly a > file-server guy, I have also not managed many Samba > AD/DC environments. So I am really more than willing > to learn from others' experience here.This is the major area I have had problems with in the past, same as Rowland and many others I expect. I should probably look into it in a little more detail to be honest; last time I tried it it was a little bit of a black art but I ended up fixing it by a combination of - switching to rfc2307 - allocating all groups and users a GID/UID, including the 'BUILTIN' ones - copying idmap.ldb between my DCs Despite all this, I still have files owned by 'raw' UIDs on my DCs (these map to 'BUILTIN\Authenticated Users' and 'BUILTIN\Local System') e.g. [root at dc ~# getfacl /usr/local/samba/var/locks/sysvol getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol # owner: root # group: administrators user::rwx user:root:rwx user:3000013:r-x user:3000140:rwx [...] [root at dc ~]# net cache list | egrep "(0013|00140)" Key: IDMAP/GID2SID/3000140 Timeout: Sun Nov 15 04:04:35 2015 Value: S-1-5-18 Key: IDMAP/UID2SID/3000013 Timeout: Sun Nov 15 03:23:23 2015 Value: S-1-5-11 but replication does seem to work across DCs via rsync at the moment. I suspect this is another thread entirely from the bug we have been discussing, though :) Maybe there's a way I can add the rfc2307 attributes to these two SIDs (although I haven't found it yet) We should probably update the 'sysvol rsync howto' wiki entry with our findings. I should actually update it anyway, as I have a working multi-DC configuration using lsyncd that lets me update GPOs on any DC (as long as I only update on one at a time)>> If you log into *any* windows domain machine, you will get the same SID-RID, >> why should Unix be any different? > > Because the windows sids are by design worldwide unique, while > the unix pattern is to use the same unix id space on each machine > and fill it individually. > > I completely agree that it may be nice to have it. > But the real solution would be to have sid-like > unix IDs in the linux kernel.Agreed, that would be great :) But I think until we have this in the kernel, it would be good if we can work around it within Samba, if possible - e.g. rfc2307 support for example. Cheers, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On 08/11/15 11:08, Jonathan Hunter wrote:> Hi, > > On 8 November 2015 at 10:49, Michael Adam <obnox at samba.org> wrote: >> This is how it works in rsync: > [...] >> I have always used rsync to replicate the sysvol. >> And always used local xids. But being mainly a >> file-server guy, I have also not managed many Samba >> AD/DC environments. So I am really more than willing >> to learn from others' experience here. > This is the major area I have had problems with in the past, same as > Rowland and many others I expect. > > I should probably look into it in a little more detail to be honest; > last time I tried it it was a little bit of a black art but I ended up > fixing it by a combination of > - switching to rfc2307 > - allocating all groups and users a GID/UID, including the 'BUILTIN' ones > - copying idmap.ldb between my DCs > > Despite all this, I still have files owned by 'raw' UIDs on my DCs > (these map to 'BUILTIN\Authenticated Users' and 'BUILTIN\Local > System') e.g. > > [root at dc ~# getfacl /usr/local/samba/var/locks/sysvol > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: administrators > user::rwx > user:root:rwx > user:3000013:r-x > user:3000140:rwx > [...] > [root at dc ~]# net cache list | egrep "(0013|00140)" > Key: IDMAP/GID2SID/3000140 Timeout: Sun Nov 15 04:04:35 2015 > Value: S-1-5-18 > Key: IDMAP/UID2SID/3000013 Timeout: Sun Nov 15 03:23:23 2015 > Value: S-1-5-11 > > but replication does seem to work across DCs via rsync at the moment. > > I suspect this is another thread entirely from the bug we have been > discussing, though :) Maybe there's a way I can add the rfc2307 > attributes to these two SIDs (although I haven't found it yet)You cannot add uid/gidNumber attributes to BUILTIN users/groups, well, you can, but they are ignored, I know, I tried. Rowland> > We should probably update the 'sysvol rsync howto' wiki entry with our > findings. I should actually update it anyway, as I have a working > multi-DC configuration using lsyncd that lets me update GPOs on any DC > (as long as I only update on one at a time) > >>> If you log into *any* windows domain machine, you will get the same SID-RID, >>> why should Unix be any different? >> Because the windows sids are by design worldwide unique, while >> the unix pattern is to use the same unix id space on each machine >> and fill it individually. >> >> I completely agree that it may be nice to have it. >> But the real solution would be to have sid-like >> unix IDs in the linux kernel. > Agreed, that would be great :) But I think until we have this in the > kernel, it would be good if we can work around it within Samba, if > possible - e.g. rfc2307 support for example. > > Cheers, > > Jonathan >
On 15:27:22 wrote Rowland Penny:> On 08/11/15 11:08, Jonathan Hunter wrote: > > Hi, > > > > On 8 November 2015 at 10:49, Michael Adam <obnox at samba.org> wrote: > >> This is how it works in rsync: > > [...] > > > >> I have always used rsync to replicate the sysvol. > >> And always used local xids. But being mainly a > >> file-server guy, I have also not managed many Samba > >> AD/DC environments. So I am really more than willing > >> to learn from others' experience here. > > > > This is the major area I have had problems with in the past, same > > as Rowland and many others I expect. > > > > I should probably look into it in a little more detail to be > > honest; last time I tried it it was a little bit of a black art > > but I ended up fixing it by a combination of > > - switching to rfc2307 > > - allocating all groups and users a GID/UID, including the > > 'BUILTIN' ones - copying idmap.ldb between my DCs > > > > Despite all this, I still have files owned by 'raw' UIDs on my DCs > > (these map to 'BUILTIN\Authenticated Users' and 'BUILTIN\Local > > System') e.g. > > > > [root at dc ~# getfacl /usr/local/samba/var/locks/sysvol > > getfacl: Removing leading '/' from absolute path names > > # file: usr/local/samba/var/locks/sysvol > > # owner: root > > # group: administrators > > user::rwx > > user:root:rwx > > user:3000013:r-x > > user:3000140:rwx > > [...] > > [root at dc ~]# net cache list | egrep "(0013|00140)" > > Key: IDMAP/GID2SID/3000140 Timeout: Sun Nov 15 04:04:35 2015 > > > > Value: S-1-5-18 > > > > Key: IDMAP/UID2SID/3000013 Timeout: Sun Nov 15 03:23:23 2015 > > > > Value: S-1-5-11 > > > > but replication does seem to work across DCs via rsync at the > > moment. > > > > I suspect this is another thread entirely from the bug we have been > > discussing, though :) Maybe there's a way I can add the rfc2307 > > attributes to these two SIDs (although I haven't found it yet) > > You cannot add uid/gidNumber attributes to BUILTIN users/groups, > well, you can, but they are ignored, I know, I tried.My expierience is different. I do this for round about 10 years in NT and AD style samba domains and have had no problems. Sure "authenticated users", "local system" and all "groups" which are managed by the Windows OS will never work on an unix like OS. But groups which simply contain other groups like Administrators or Users works for me. I use nslcd as nss daemon, mostly, but I know it works also with other nss provider like winbindd.> Rowland > > > We should probably update the 'sysvol rsync howto' wiki entry with > > our findings. I should actually update it anyway, as I have a > > working multi-DC configuration using lsyncd that lets me update > > GPOs on any DC (as long as I only update on one at a time) > > > >>> If you log into *any* windows domain machine, you will get the > >>> same SID-RID, why should Unix be any different? > >> > >> Because the windows sids are by design worldwide unique, while > >> the unix pattern is to use the same unix id space on each machine > >> and fill it individually. > >> > >> I completely agree that it may be nice to have it. > >> But the real solution would be to have sid-like > >> unix IDs in the linux kernel. > > > > Agreed, that would be great :) But I think until we have this in > > the kernel, it would be good if we can work around it within > > Samba, if possible - e.g. rfc2307 support for example. > > > > Cheers, > > > > Jonathan-- Regards Harry Jede