Hi all, Here is our smb.conf: [global] workgroup = AD realm = AD.DOMAIN.TLD netbios name = DC200 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes #kccsrv:samba_kcc=true acl_xattr:ignore system acls = yes winbind nss info = rfc2307 [netlogon] path = /var/lib/samba/sysvol/ad.domain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No That's the same on all DC. We synchronize sysvol directory using rsync with the following command: rsync -XAavz --delete-after --password-file=/var/lib/samba/private/rsync_client.secret rsync://sysvol-replication at dc200/SysVol/ /var/lib/samba/sysvol/ And we get issue with Linux ACLs: they are not the same because some BUILTIN users and/or groups do not have same id mapping on all DC. How to force all DC to get same id mapping? Using "acl_xattr:ignore system acls = yes", are Linux ACLs still important or are we supposed to use Windows ACLs only into stored into some Samba file? In that case, which file(s)? Cheers, mathias
On 08/06/16 15:34, mathias dufresne wrote:> Hi all, > > Here is our smb.conf: > [global] > workgroup = AD > realm = AD.DOMAIN.TLD > netbios name = DC200 > server role = active directory domain controller > > server services = -dns > idmap_ldb:use rfc2307 = yes > > #kccsrv:samba_kcc=true > acl_xattr:ignore system acls = yes > winbind nss info = rfc2307 > > [netlogon] > path = /var/lib/samba/sysvol/ad.domain.tld/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > That's the same on all DC. > > We synchronize sysvol directory using rsync with the following command: > rsync -XAavz --delete-after > --password-file=/var/lib/samba/private/rsync_client.secret > rsync://sysvol-replication at dc200/SysVol/ /var/lib/samba/sysvol/ > > And we get issue with Linux ACLs: they are not the same because some > BUILTIN users and/or groups do not have same id mapping on all DC. > > How to force all DC to get same id mapping? > > Using "acl_xattr:ignore system acls = yes", are Linux ACLs still important > or are we supposed to use Windows ACLs only into stored into some Samba > file? In that case, which file(s)? > > Cheers, > > mathiasOK, first you do not need this on a DC: 'winbind nss info = rfc2307' Secondly, your different id mappings for BUILTIN users & groups is a well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber' attributes and seem to be given on a first come basis, only problem is, the groups etc don't connect in the same order on every DC. To get the same ID's on every DC, you will have to copy idmap.ldb from the first DC to every other DC, run 'net cache flush' and then keep 'idmap.ldb' in sync. Rowland
Hi Le 09/06/2016 à 20:42, Rowland penny a écrit :> On 08/06/16 15:34, mathias dufresne wrote: >> Hi all, >> >> [snip] >> And we get issue with Linux ACLs: they are not the same because some >> BUILTIN users and/or groups do not have same id mapping on all DC. >> >> How to force all DC to get same id mapping? >> >> Using "acl_xattr:ignore system acls = yes", are Linux ACLs still >> important >> or are we supposed to use Windows ACLs only into stored into some Samba >> file? In that case, which file(s)?They're stored in each file xattr as an obscure base64 encoded value BUT in all cases unix permissions applies when accessing through samba. So disabling ACLs means that you've to set the properties correctly to allow "samba" unix users to access files (there's no clear doc on that…)> OK, first you do not need this on a DC: 'winbind nss info = rfc2307' > > Secondly, your different id mappings for BUILTIN users & groups is a > well known problem. The id's are stored in 'idmap.ldb' as 'xidNumber' > attributes and seem to be given on a first come basis, only problem > is, the groups etc don't connect in the same order on every DC.Wasn't this supposed to be solved in 4.2? wiki.samba.org/index.php/Join_an_additional_Samba_DC_to_an_existing_Active_Directory#GID_mappings_of_built-in_groups The wiki seems to say that Builtin xID are now replicated but there is no clear upgrade path (if you've mixed 4.1 & 4.2 DC which mapping will be stored in 4.2 winbind? What happens when you upgrade the 4.1 to 4.2?)> > To get the same ID's on every DC, you will have to copy idmap.ldb from > the first DC to every other DC, run 'net cache flush' and then keep > 'idmap.ldb' in sync. >Regards