Am 24.06.2016 um 21:24 schrieb Rowland penny:> On 24/06/16 19:47, lingpanda101 at gmail.com wrote: >> On 6/24/2016 11:40 AM, mathias dufresne wrote: >>> >>> >>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com >>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com >>> <mailto:lingpanda101 at gmail.com>>: >>> >>> On 6/22/2016 12:21 PM, mathias dufresne wrote: >>> >>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl >>> <mailto:belle at bazuin.nl>>: >>> >>> @Mathias, >>> >>> Pretty strange then, running some years like this without >>> any problem. >>> Yes we had few problems with "rights" in sysvol, but i >>> fixed this all >>> outside linux, and with that i mean. Changed rights from >>> within windows or >>> added registry changes or patches, or a local clean up of >>> the policies. >>> >>> At the install of my DC2 i also synced the idmap.ldb, and >>> then a >>> net idmap flush on both servers to make my both dc's in >>> sync. >>> And i keep it in sync with my rsync/unison setup. >>> >>> All new added, but i'll keep an eye also in this and i'll >>> recheck my logs. >>> But i dont think i'll find anything here. >>> I'll keep notice on your "workaround". >>> >>> Which backend are you using matias? >>> Mine : (idmap config NTDOMAIN : backend = ad) >>> >>> >>> Gr. >>> >>> Louis >>> >>> >>> OK you keep idmap.ldb synched, that's what I missed until few >>> days and was >>> the reason that is was not working. >>> Our choice to give each and users and groups into AD some xID >>> is only to >>> avoid usage of mapping. I expect the synchronization of >>> idmap.ldb (if done >>> often enough) would be sufficient. But I don't always like >>> magic : ) >>> >>> Thank you for precisions ! >>> >>> >>> Cheers all >>> >>> >>> -----Oorspronkelijk bericht----- >>> Van: samba [mailto:samba-bounces at lists.samba.org >>> <mailto:samba-bounces at lists.samba.org>] Namens mathias >>> >>> dufresne >>> >>> Verzonden: woensdag 22 juni 2016 15:31 >>> Aan: lingpanda101 at gmail.com >>> <mailto:lingpanda101 at gmail.com> >>> CC: samba >>> Onderwerp: Re: [Samba] Rights issue on GPO >>> >>> @LPH van Belle >>> I did tried (and still use) "acl_xattr:ignore system >>> acls = yes" as shown >>> on the first mail of that thread. And even using that >>> rights errors on >>> >>> GPO >>> >>> files _are_ an issue. Otherwise that thread won't have >>> been opened of >>> course : ) >>> >>> Regarding how we decided to workaround almost >>> definitively with that was >>> to >>> give every users and groups in AD some xID, also those >>> in CN=Builtin and >>> CN=Users. We also cleaned our idmap.ldb to keep inside >>> only special users >>> / >>> groups (as "local system" / S-1-5-18, "guests" / >>> S-1-5-32-546...). >>> We also add some rsync to keep idmap.ldb synchronized >>> on all our DC, for >>> these special items have same mapped xID in case they >>> are used (and so >>> mapped). >>> >>> Doing that id mapper has no reason to define by itself >>> some xID to users >>> and groups contained into AD as they already have some >>> xID. >>> >>> Until now it seems to work fine... >>> >>> >>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com >>> <mailto:lingpanda101 at gmail.com> >>> <lingpanda101 at gmail.com >>> <mailto:lingpanda101 at gmail.com>>: >>> >>> On 6/22/2016 8:53 AM, mj wrote: >>> >>> >>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com >>> <mailto:lingpanda101 at gmail.com> wrote: >>> >>> Why is is when I do a getfacl I do not see >>> the mapping of BUILTIN >>> >>> like >>> >>> others? >>> >>> do you have winbind in /etc/nsswitch.conf? >>> >>> mj >>> >>> >>> I also thought winbind was only necessary on >>> member servers. >>> >>> -- >>> -James >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following >>> URL and read the >>> instructions: >>> https://lists.samba.org/mailman/options/samba >>> >>> -- >>> To unsubscribe from this list go to the following URL >>> and read the >>> instructions: >>> https://lists.samba.org/mailman/options/samba >>> >>> >>> >>> -- >>> To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >>> If I assign every user a UID and select groups a GID by utilizing >>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb >>> synchronized? I'm thinking XID's are obsolete at that point? >>> >>> >>> Only users and groups in AD will avoid id mapper by that workaround. >>> But there are others accounts ("local system", "guest", "local >>> administrator"...) all these accounts exist on MS Windows clients, >>> and so they can all do stuff on Sysvol and so they can all go >>> through id mapper. >>> >>> So no. There no way (for me at least :) to totally avoid id mapper >>> and so you should keep idmap.ldb synched. >>> >>> >>> >>> >>> -- -James >>> >>> >>> -- To unsubscribe from this list go to the following URL and >>> read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> >> >> I'm in the process now of creating a script to sync idmap.ldb. Does >> anyone have one at the moment? Is it best practice to stop samba >> before replacing idmap.ldb on the additional DC's? My script will >> currently watch for any idmap.ldb changes and create a hot backup if >> a change is detected. It will then send to the other DC's via rsync. >> I'm thinking starting and stopping samba isn't ideal during >> production hours. >> > > If you are running Samba >= 4.2.0 with the separate 'winbindd' binary, > there is no reason to sync idmap.ldb. Syncing idmap was/is only > required if you use 'winbind' that is built into the 'samba' binary. > > Rowland > >Hello Rowland, If you take an look on your sysvol rights there are two still unresoved groups SECURITY\Local System and SECURITY\Autheticated Users. These show up with gid's from idmap.ldb in the acl list and therefore can not be mapped during rsync. So at least these two groups need idntical mapping on all dc's. It is however not neccessary to keep idmap in sync as long as no ther security groups are used. achim~
On 24/06/16 21:35, Achim Gottinger wrote:> > > Am 24.06.2016 um 21:24 schrieb Rowland penny: >> On 24/06/16 19:47, lingpanda101 at gmail.com wrote: >>> On 6/24/2016 11:40 AM, mathias dufresne wrote: >>>> >>>> >>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com>>: >>>> >>>> On 6/22/2016 12:21 PM, mathias dufresne wrote: >>>> >>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl >>>> <mailto:belle at bazuin.nl>>: >>>> >>>> @Mathias, >>>> >>>> Pretty strange then, running some years like this without >>>> any problem. >>>> Yes we had few problems with "rights" in sysvol, but i >>>> fixed this all >>>> outside linux, and with that i mean. Changed rights from >>>> within windows or >>>> added registry changes or patches, or a local clean up of >>>> the policies. >>>> >>>> At the install of my DC2 i also synced the idmap.ldb, and >>>> then a >>>> net idmap flush on both servers to make my both dc's in >>>> sync. >>>> And i keep it in sync with my rsync/unison setup. >>>> >>>> All new added, but i'll keep an eye also in this and i'll >>>> recheck my logs. >>>> But i dont think i'll find anything here. >>>> I'll keep notice on your "workaround". >>>> >>>> Which backend are you using matias? >>>> Mine : (idmap config NTDOMAIN : backend = ad) >>>> >>>> >>>> Gr. >>>> >>>> Louis >>>> >>>> >>>> OK you keep idmap.ldb synched, that's what I missed until few >>>> days and was >>>> the reason that is was not working. >>>> Our choice to give each and users and groups into AD some xID >>>> is only to >>>> avoid usage of mapping. I expect the synchronization of >>>> idmap.ldb (if done >>>> often enough) would be sufficient. But I don't always like >>>> magic : ) >>>> >>>> Thank you for precisions ! >>>> >>>> >>>> Cheers all >>>> >>>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org >>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias >>>> >>>> dufresne >>>> >>>> Verzonden: woensdag 22 juni 2016 15:31 >>>> Aan: lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> >>>> CC: samba >>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>> >>>> @LPH van Belle >>>> I did tried (and still use) "acl_xattr:ignore system >>>> acls = yes" as shown >>>> on the first mail of that thread. And even using that >>>> rights errors on >>>> >>>> GPO >>>> >>>> files _are_ an issue. Otherwise that thread won't have >>>> been opened of >>>> course : ) >>>> >>>> Regarding how we decided to workaround almost >>>> definitively with that was >>>> to >>>> give every users and groups in AD some xID, also those >>>> in CN=Builtin and >>>> CN=Users. We also cleaned our idmap.ldb to keep inside >>>> only special users >>>> / >>>> groups (as "local system" / S-1-5-18, "guests" / >>>> S-1-5-32-546...). >>>> We also add some rsync to keep idmap.ldb synchronized >>>> on all our DC, for >>>> these special items have same mapped xID in case they >>>> are used (and so >>>> mapped). >>>> >>>> Doing that id mapper has no reason to define by itself >>>> some xID to users >>>> and groups contained into AD as they already have some >>>> xID. >>>> >>>> Until now it seems to work fine... >>>> >>>> >>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> >>>> <lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com>>: >>>> >>>> On 6/22/2016 8:53 AM, mj wrote: >>>> >>>> >>>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> wrote: >>>> >>>> Why is is when I do a getfacl I do not see >>>> the mapping of BUILTIN >>>> >>>> like >>>> >>>> others? >>>> >>>> do you have winbind in /etc/nsswitch.conf? >>>> >>>> mj >>>> >>>> >>>> I also thought winbind was only necessary on >>>> member servers. >>>> >>>> -- >>>> -James >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following >>>> URL and read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL >>>> and read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and >>>> read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> If I assign every user a UID and select groups a GID by utilizing >>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb >>>> synchronized? I'm thinking XID's are obsolete at that point? >>>> >>>> >>>> Only users and groups in AD will avoid id mapper by that >>>> workaround. But there are others accounts ("local system", "guest", >>>> "local administrator"...) all these accounts exist on MS Windows >>>> clients, and so they can all do stuff on Sysvol and so they can all >>>> go through id mapper. >>>> >>>> So no. There no way (for me at least :) to totally avoid id mapper >>>> and so you should keep idmap.ldb synched. >>>> >>>> >>>> >>>> >>>> -- -James >>>> >>>> >>>> -- To unsubscribe from this list go to the following URL >>>> and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> I'm in the process now of creating a script to sync idmap.ldb. Does >>> anyone have one at the moment? Is it best practice to stop samba >>> before replacing idmap.ldb on the additional DC's? My script will >>> currently watch for any idmap.ldb changes and create a hot backup if >>> a change is detected. It will then send to the other DC's via rsync. >>> I'm thinking starting and stopping samba isn't ideal during >>> production hours. >>> >> >> If you are running Samba >= 4.2.0 with the separate 'winbindd' >> binary, there is no reason to sync idmap.ldb. Syncing idmap was/is >> only required if you use 'winbind' that is built into the 'samba' >> binary. >> >> Rowland >> >> > Hello Rowland, > > If you take an look on your sysvol rights there are two still > unresoved groups SECURITY\Local System and SECURITY\Autheticated > Users. These show up with gid's from idmap.ldb in the acl list and > therefore can not be mapped during rsync. So at least these two groups > need idntical mapping on all dc's. It is however not neccessary to > keep idmap in sync as long as no ther security groups are used. > > achim~ >Yes I know, but each DC knows who they are and as they are members of the 'SECURITY' domain, they aren't mapped to the DOMAIN or BUILTIN. Rowland
Am 24.06.2016 um 22:35 schrieb Achim Gottinger:> > > Am 24.06.2016 um 21:24 schrieb Rowland penny: >> On 24/06/16 19:47, lingpanda101 at gmail.com wrote: >>> On 6/24/2016 11:40 AM, mathias dufresne wrote: >>>> >>>> >>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com>>: >>>> >>>> On 6/22/2016 12:21 PM, mathias dufresne wrote: >>>> >>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl >>>> <mailto:belle at bazuin.nl>>: >>>> >>>> @Mathias, >>>> >>>> Pretty strange then, running some years like this without >>>> any problem. >>>> Yes we had few problems with "rights" in sysvol, but i >>>> fixed this all >>>> outside linux, and with that i mean. Changed rights from >>>> within windows or >>>> added registry changes or patches, or a local clean up of >>>> the policies. >>>> >>>> At the install of my DC2 i also synced the idmap.ldb, and >>>> then a >>>> net idmap flush on both servers to make my both dc's in >>>> sync. >>>> And i keep it in sync with my rsync/unison setup. >>>> >>>> All new added, but i'll keep an eye also in this and i'll >>>> recheck my logs. >>>> But i dont think i'll find anything here. >>>> I'll keep notice on your "workaround". >>>> >>>> Which backend are you using matias? >>>> Mine : (idmap config NTDOMAIN : backend = ad) >>>> >>>> >>>> Gr. >>>> >>>> Louis >>>> >>>> >>>> OK you keep idmap.ldb synched, that's what I missed until few >>>> days and was >>>> the reason that is was not working. >>>> Our choice to give each and users and groups into AD some xID >>>> is only to >>>> avoid usage of mapping. I expect the synchronization of >>>> idmap.ldb (if done >>>> often enough) would be sufficient. But I don't always like >>>> magic : ) >>>> >>>> Thank you for precisions ! >>>> >>>> >>>> Cheers all >>>> >>>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org >>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias >>>> >>>> dufresne >>>> >>>> Verzonden: woensdag 22 juni 2016 15:31 >>>> Aan: lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> >>>> CC: samba >>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>> >>>> @LPH van Belle >>>> I did tried (and still use) "acl_xattr:ignore system >>>> acls = yes" as shown >>>> on the first mail of that thread. And even using that >>>> rights errors on >>>> >>>> GPO >>>> >>>> files _are_ an issue. Otherwise that thread won't have >>>> been opened of >>>> course : ) >>>> >>>> Regarding how we decided to workaround almost >>>> definitively with that was >>>> to >>>> give every users and groups in AD some xID, also those >>>> in CN=Builtin and >>>> CN=Users. We also cleaned our idmap.ldb to keep inside >>>> only special users >>>> / >>>> groups (as "local system" / S-1-5-18, "guests" / >>>> S-1-5-32-546...). >>>> We also add some rsync to keep idmap.ldb synchronized >>>> on all our DC, for >>>> these special items have same mapped xID in case they >>>> are used (and so >>>> mapped). >>>> >>>> Doing that id mapper has no reason to define by itself >>>> some xID to users >>>> and groups contained into AD as they already have some >>>> xID. >>>> >>>> Until now it seems to work fine... >>>> >>>> >>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> >>>> <lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com>>: >>>> >>>> On 6/22/2016 8:53 AM, mj wrote: >>>> >>>> >>>> On 06/22/2016 02:44 PM, lingpanda101 at gmail.com >>>> <mailto:lingpanda101 at gmail.com> wrote: >>>> >>>> Why is is when I do a getfacl I do not see >>>> the mapping of BUILTIN >>>> >>>> like >>>> >>>> others? >>>> >>>> do you have winbind in /etc/nsswitch.conf? >>>> >>>> mj >>>> >>>> >>>> I also thought winbind was only necessary on >>>> member servers. >>>> >>>> -- >>>> -James >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following >>>> URL and read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL >>>> and read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and >>>> read the >>>> instructions: >>>> https://lists.samba.org/mailman/options/samba >>>> >>>> >>>> If I assign every user a UID and select groups a GID by utilizing >>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb >>>> synchronized? I'm thinking XID's are obsolete at that point? >>>> >>>> >>>> Only users and groups in AD will avoid id mapper by that >>>> workaround. But there are others accounts ("local system", "guest", >>>> "local administrator"...) all these accounts exist on MS Windows >>>> clients, and so they can all do stuff on Sysvol and so they can all >>>> go through id mapper. >>>> >>>> So no. There no way (for me at least :) to totally avoid id mapper >>>> and so you should keep idmap.ldb synched. >>>> >>>> >>>> >>>> >>>> -- -James >>>> >>>> >>>> -- To unsubscribe from this list go to the following URL >>>> and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>>> >>> >>> I'm in the process now of creating a script to sync idmap.ldb. Does >>> anyone have one at the moment? Is it best practice to stop samba >>> before replacing idmap.ldb on the additional DC's? My script will >>> currently watch for any idmap.ldb changes and create a hot backup if >>> a change is detected. It will then send to the other DC's via rsync. >>> I'm thinking starting and stopping samba isn't ideal during >>> production hours. >>> >> >> If you are running Samba >= 4.2.0 with the separate 'winbindd' >> binary, there is no reason to sync idmap.ldb. Syncing idmap was/is >> only required if you use 'winbind' that is built into the 'samba' >> binary. >> >> Rowland >> >> > Hello Rowland, > > If you take an look on your sysvol rights there are two still > unresoved groups SECURITY\Local System and SECURITY\Autheticated > Users. These show up with gid's from idmap.ldb in the acl list and > therefore can not be mapped during rsync. So at least these two groups > need idntical mapping on all dc's. It is however not neccessary to > keep idmap in sync as long as no ther security groups are used. > > achim~ >To be more specific the groups belongig to "WellKnown Security Principals" are not mapped. I called them security groups above. See here for an list: https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx#BKMK_AuthenticatedUser
Am 24.06.2016 um 22:57 schrieb Rowland penny:> On 24/06/16 21:35, Achim Gottinger wrote: >> >> >> Am 24.06.2016 um 21:24 schrieb Rowland penny: >>> On 24/06/16 19:47, lingpanda101 at gmail.com wrote: >>>> On 6/24/2016 11:40 AM, mathias dufresne wrote: >>>>> >>>>> >>>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com>>: >>>>> >>>>> On 6/22/2016 12:21 PM, mathias dufresne wrote: >>>>> >>>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl >>>>> <mailto:belle at bazuin.nl>>: >>>>> >>>>> @Mathias, >>>>> >>>>> Pretty strange then, running some years like this without >>>>> any problem. >>>>> Yes we had few problems with "rights" in sysvol, but i >>>>> fixed this all >>>>> outside linux, and with that i mean. Changed rights from >>>>> within windows or >>>>> added registry changes or patches, or a local clean up of >>>>> the policies. >>>>> >>>>> At the install of my DC2 i also synced the idmap.ldb, and >>>>> then a >>>>> net idmap flush on both servers to make my both dc's >>>>> in sync. >>>>> And i keep it in sync with my rsync/unison setup. >>>>> >>>>> All new added, but i'll keep an eye also in this and i'll >>>>> recheck my logs. >>>>> But i dont think i'll find anything here. >>>>> I'll keep notice on your "workaround". >>>>> >>>>> Which backend are you using matias? >>>>> Mine : (idmap config NTDOMAIN : backend = ad) >>>>> >>>>> >>>>> Gr. >>>>> >>>>> Louis >>>>> >>>>> >>>>> OK you keep idmap.ldb synched, that's what I missed until few >>>>> days and was >>>>> the reason that is was not working. >>>>> Our choice to give each and users and groups into AD some xID >>>>> is only to >>>>> avoid usage of mapping. I expect the synchronization of >>>>> idmap.ldb (if done >>>>> often enough) would be sufficient. But I don't always like >>>>> magic : ) >>>>> >>>>> Thank you for precisions ! >>>>> >>>>> >>>>> Cheers all >>>>> >>>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org >>>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias >>>>> >>>>> dufresne >>>>> >>>>> Verzonden: woensdag 22 juni 2016 15:31 >>>>> Aan: lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> >>>>> CC: samba >>>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>>> >>>>> @LPH van Belle >>>>> I did tried (and still use) "acl_xattr:ignore system >>>>> acls = yes" as shown >>>>> on the first mail of that thread. And even using that >>>>> rights errors on >>>>> >>>>> GPO >>>>> >>>>> files _are_ an issue. Otherwise that thread won't >>>>> have >>>>> been opened of >>>>> course : ) >>>>> >>>>> Regarding how we decided to workaround almost >>>>> definitively with that was >>>>> to >>>>> give every users and groups in AD some xID, also >>>>> those >>>>> in CN=Builtin and >>>>> CN=Users. We also cleaned our idmap.ldb to keep >>>>> inside >>>>> only special users >>>>> / >>>>> groups (as "local system" / S-1-5-18, "guests" / >>>>> S-1-5-32-546...). >>>>> We also add some rsync to keep idmap.ldb synchronized >>>>> on all our DC, for >>>>> these special items have same mapped xID in case they >>>>> are used (and so >>>>> mapped). >>>>> >>>>> Doing that id mapper has no reason to define by >>>>> itself >>>>> some xID to users >>>>> and groups contained into AD as they already have >>>>> some >>>>> xID. >>>>> >>>>> Until now it seems to work fine... >>>>> >>>>> >>>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> >>>>> <lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com>>: >>>>> >>>>> On 6/22/2016 8:53 AM, mj wrote: >>>>> >>>>> >>>>> On 06/22/2016 02:44 PM, >>>>> lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> wrote: >>>>> >>>>> Why is is when I do a getfacl I do not >>>>> see >>>>> the mapping of BUILTIN >>>>> >>>>> like >>>>> >>>>> others? >>>>> >>>>> do you have winbind in /etc/nsswitch.conf? >>>>> >>>>> mj >>>>> >>>>> >>>>> I also thought winbind was only necessary on >>>>> member servers. >>>>> >>>>> -- >>>>> -James >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following >>>>> URL and read the >>>>> instructions: >>>>> https://lists.samba.org/mailman/options/samba >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL >>>>> and read the >>>>> instructions: >>>>> https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and >>>>> read the >>>>> instructions: >>>>> https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> If I assign every user a UID and select groups a GID by utilizing >>>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb >>>>> synchronized? I'm thinking XID's are obsolete at that point? >>>>> >>>>> >>>>> Only users and groups in AD will avoid id mapper by that >>>>> workaround. But there are others accounts ("local system", >>>>> "guest", "local administrator"...) all these accounts exist on MS >>>>> Windows clients, and so they can all do stuff on Sysvol and so >>>>> they can all go through id mapper. >>>>> >>>>> So no. There no way (for me at least :) to totally avoid id mapper >>>>> and so you should keep idmap.ldb synched. >>>>> >>>>> >>>>> >>>>> >>>>> -- -James >>>>> >>>>> >>>>> -- To unsubscribe from this list go to the following URL >>>>> and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>> >>>> I'm in the process now of creating a script to sync idmap.ldb. Does >>>> anyone have one at the moment? Is it best practice to stop samba >>>> before replacing idmap.ldb on the additional DC's? My script will >>>> currently watch for any idmap.ldb changes and create a hot backup >>>> if a change is detected. It will then send to the other DC's via >>>> rsync. I'm thinking starting and stopping samba isn't ideal during >>>> production hours. >>>> >>> >>> If you are running Samba >= 4.2.0 with the separate 'winbindd' >>> binary, there is no reason to sync idmap.ldb. Syncing idmap was/is >>> only required if you use 'winbind' that is built into the 'samba' >>> binary. >>> >>> Rowland >>> >>> >> Hello Rowland, >> >> If you take an look on your sysvol rights there are two still >> unresoved groups SECURITY\Local System and SECURITY\Autheticated >> Users. These show up with gid's from idmap.ldb in the acl list and >> therefore can not be mapped during rsync. So at least these two >> groups need idntical mapping on all dc's. It is however not >> neccessary to keep idmap in sync as long as no ther security groups >> are used. >> >> achim~ >> > > Yes I know, but each DC knows who they are and as they are members of > the 'SECURITY' domain, they aren't mapped to the DOMAIN or BUILTIN. > > Rowland > >If the gid used for "Authenticated Users" on the source server (dc1) ist used for some "random group" on the target server (dc2), the read right on sysvol for authenticated users will instead be given to "random group". This can result in users not a member of "random group" will not be able to access content on sysvol. Therefore it is mandatory that these security groups are mapped to the same gid on all dc's the sysvol conted is replicated.
On 24/06/16 22:08, Achim Gottinger wrote:> > > Am 24.06.2016 um 22:35 schrieb Achim Gottinger: >> >> >> Am 24.06.2016 um 21:24 schrieb Rowland penny: >>> On 24/06/16 19:47, lingpanda101 at gmail.com wrote: >>>> On 6/24/2016 11:40 AM, mathias dufresne wrote: >>>>> >>>>> >>>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com>>: >>>>> >>>>> On 6/22/2016 12:21 PM, mathias dufresne wrote: >>>>> >>>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl >>>>> <mailto:belle at bazuin.nl>>: >>>>> >>>>> @Mathias, >>>>> >>>>> Pretty strange then, running some years like this without >>>>> any problem. >>>>> Yes we had few problems with "rights" in sysvol, but i >>>>> fixed this all >>>>> outside linux, and with that i mean. Changed rights from >>>>> within windows or >>>>> added registry changes or patches, or a local clean up of >>>>> the policies. >>>>> >>>>> At the install of my DC2 i also synced the idmap.ldb, and >>>>> then a >>>>> net idmap flush on both servers to make my both dc's >>>>> in sync. >>>>> And i keep it in sync with my rsync/unison setup. >>>>> >>>>> All new added, but i'll keep an eye also in this and i'll >>>>> recheck my logs. >>>>> But i dont think i'll find anything here. >>>>> I'll keep notice on your "workaround". >>>>> >>>>> Which backend are you using matias? >>>>> Mine : (idmap config NTDOMAIN : backend = ad) >>>>> >>>>> >>>>> Gr. >>>>> >>>>> Louis >>>>> >>>>> >>>>> OK you keep idmap.ldb synched, that's what I missed until few >>>>> days and was >>>>> the reason that is was not working. >>>>> Our choice to give each and users and groups into AD some xID >>>>> is only to >>>>> avoid usage of mapping. I expect the synchronization of >>>>> idmap.ldb (if done >>>>> often enough) would be sufficient. But I don't always like >>>>> magic : ) >>>>> >>>>> Thank you for precisions ! >>>>> >>>>> >>>>> Cheers all >>>>> >>>>> >>>>> -----Oorspronkelijk bericht----- >>>>> Van: samba [mailto:samba-bounces at lists.samba.org >>>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias >>>>> >>>>> dufresne >>>>> >>>>> Verzonden: woensdag 22 juni 2016 15:31 >>>>> Aan: lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> >>>>> CC: samba >>>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>>> >>>>> @LPH van Belle >>>>> I did tried (and still use) "acl_xattr:ignore system >>>>> acls = yes" as shown >>>>> on the first mail of that thread. And even using that >>>>> rights errors on >>>>> >>>>> GPO >>>>> >>>>> files _are_ an issue. Otherwise that thread won't >>>>> have >>>>> been opened of >>>>> course : ) >>>>> >>>>> Regarding how we decided to workaround almost >>>>> definitively with that was >>>>> to >>>>> give every users and groups in AD some xID, also >>>>> those >>>>> in CN=Builtin and >>>>> CN=Users. We also cleaned our idmap.ldb to keep >>>>> inside >>>>> only special users >>>>> / >>>>> groups (as "local system" / S-1-5-18, "guests" / >>>>> S-1-5-32-546...). >>>>> We also add some rsync to keep idmap.ldb synchronized >>>>> on all our DC, for >>>>> these special items have same mapped xID in case they >>>>> are used (and so >>>>> mapped). >>>>> >>>>> Doing that id mapper has no reason to define by >>>>> itself >>>>> some xID to users >>>>> and groups contained into AD as they already have >>>>> some >>>>> xID. >>>>> >>>>> Until now it seems to work fine... >>>>> >>>>> >>>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> >>>>> <lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com>>: >>>>> >>>>> On 6/22/2016 8:53 AM, mj wrote: >>>>> >>>>> >>>>> On 06/22/2016 02:44 PM, >>>>> lingpanda101 at gmail.com >>>>> <mailto:lingpanda101 at gmail.com> wrote: >>>>> >>>>> Why is is when I do a getfacl I do not >>>>> see >>>>> the mapping of BUILTIN >>>>> >>>>> like >>>>> >>>>> others? >>>>> >>>>> do you have winbind in /etc/nsswitch.conf? >>>>> >>>>> mj >>>>> >>>>> >>>>> I also thought winbind was only necessary on >>>>> member servers. >>>>> >>>>> -- >>>>> -James >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following >>>>> URL and read the >>>>> instructions: >>>>> https://lists.samba.org/mailman/options/samba >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL >>>>> and read the >>>>> instructions: >>>>> https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> >>>>> -- >>>>> To unsubscribe from this list go to the following URL and >>>>> read the >>>>> instructions: >>>>> https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>>> If I assign every user a UID and select groups a GID by utilizing >>>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb >>>>> synchronized? I'm thinking XID's are obsolete at that point? >>>>> >>>>> >>>>> Only users and groups in AD will avoid id mapper by that >>>>> workaround. But there are others accounts ("local system", >>>>> "guest", "local administrator"...) all these accounts exist on MS >>>>> Windows clients, and so they can all do stuff on Sysvol and so >>>>> they can all go through id mapper. >>>>> >>>>> So no. There no way (for me at least :) to totally avoid id mapper >>>>> and so you should keep idmap.ldb synched. >>>>> >>>>> >>>>> >>>>> >>>>> -- -James >>>>> >>>>> >>>>> -- To unsubscribe from this list go to the following URL >>>>> and read the >>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>> >>>>> >>>> >>>> I'm in the process now of creating a script to sync idmap.ldb. Does >>>> anyone have one at the moment? Is it best practice to stop samba >>>> before replacing idmap.ldb on the additional DC's? My script will >>>> currently watch for any idmap.ldb changes and create a hot backup >>>> if a change is detected. It will then send to the other DC's via >>>> rsync. I'm thinking starting and stopping samba isn't ideal during >>>> production hours. >>>> >>> >>> If you are running Samba >= 4.2.0 with the separate 'winbindd' >>> binary, there is no reason to sync idmap.ldb. Syncing idmap was/is >>> only required if you use 'winbind' that is built into the 'samba' >>> binary. >>> >>> Rowland >>> >>> >> Hello Rowland, >> >> If you take an look on your sysvol rights there are two still >> unresoved groups SECURITY\Local System and SECURITY\Autheticated >> Users. These show up with gid's from idmap.ldb in the acl list and >> therefore can not be mapped during rsync. So at least these two >> groups need idntical mapping on all dc's. It is however not >> neccessary to keep idmap in sync as long as no ther security groups >> are used. >> >> achim~ >> > To be more specific the groups belongig to "WellKnown Security > Principals" are not mapped. I called them security groups above. > See here for an list: > https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx#BKMK_AuthenticatedUser > >I know all of the above, and you seem to be using fixes that had to be used with a Samba 4 AD DC that used the 'winbind' part of the 'samba' binary. When Samba 4.2.0 came out, 'winbind' was replaced with the separate 'winbindd' binary (the same one used on a domain member). This means that, even though an AD object may be mapped to a number, the DC knows what AD object that is. This means you do not need to sync idmap.ldb between DCs if you use Samba >= 4.2.0 with the separate 'winbindd' binary. Rowland
Le 25 juin 2016 10:30, "Rowland penny" <rpenny at samba.org> a écrit :> > On 24/06/16 22:08, Achim Gottinger wrote: >> >> >> >> Am 24.06.2016 um 22:35 schrieb Achim Gottinger: >>> >>> >>> >>> Am 24.06.2016 um 21:24 schrieb Rowland penny: >>>> >>>> On 24/06/16 19:47, lingpanda101 at gmail.com wrote: >>>>> >>>>> On 6/24/2016 11:40 AM, mathias dufresne wrote: >>>>>> >>>>>> >>>>>> >>>>>> 2016-06-24 15:24 GMT+02:00 lingpanda101 at gmail.com <mailto:lingpanda101 at gmail.com> <lingpanda101 at gmail.com <mailto: lingpanda101 at gmail.com>>:>>>>>> >>>>>> On 6/22/2016 12:21 PM, mathias dufresne wrote: >>>>>> >>>>>> 2016-06-22 16:37 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl >>>>>> <mailto:belle at bazuin.nl>>: >>>>>> >>>>>> @Mathias, >>>>>> >>>>>> Pretty strange then, running some years like this without >>>>>> any problem. >>>>>> Yes we had few problems with "rights" in sysvol, but i >>>>>> fixed this all >>>>>> outside linux, and with that i mean. Changed rights from >>>>>> within windows or >>>>>> added registry changes or patches, or a local clean up of >>>>>> the policies. >>>>>> >>>>>> At the install of my DC2 i also synced the idmap.ldb, and >>>>>> then a >>>>>> net idmap flush on both servers to make my both dc's insync.>>>>>> And i keep it in sync with my rsync/unison setup. >>>>>> >>>>>> All new added, but i'll keep an eye also in this and i'll >>>>>> recheck my logs. >>>>>> But i dont think i'll find anything here. >>>>>> I'll keep notice on your "workaround". >>>>>> >>>>>> Which backend are you using matias? >>>>>> Mine : (idmap config NTDOMAIN : backend = ad) >>>>>> >>>>>> >>>>>> Gr. >>>>>> >>>>>> Louis >>>>>> >>>>>> >>>>>> OK you keep idmap.ldb synched, that's what I missed until few >>>>>> days and was >>>>>> the reason that is was not working. >>>>>> Our choice to give each and users and groups into AD some xID >>>>>> is only to >>>>>> avoid usage of mapping. I expect the synchronization of >>>>>> idmap.ldb (if done >>>>>> often enough) would be sufficient. But I don't always like >>>>>> magic : ) >>>>>> >>>>>> Thank you for precisions ! >>>>>> >>>>>> >>>>>> Cheers all >>>>>> >>>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org >>>>>> <mailto:samba-bounces at lists.samba.org>] Namens mathias >>>>>> >>>>>> dufresne >>>>>> >>>>>> Verzonden: woensdag 22 juni 2016 15:31 >>>>>> Aan: lingpanda101 at gmail.com >>>>>> <mailto:lingpanda101 at gmail.com> >>>>>> CC: samba >>>>>> Onderwerp: Re: [Samba] Rights issue on GPO >>>>>> >>>>>> @LPH van Belle >>>>>> I did tried (and still use) "acl_xattr:ignore system >>>>>> acls = yes" as shown >>>>>> on the first mail of that thread. And even using that >>>>>> rights errors on >>>>>> >>>>>> GPO >>>>>> >>>>>> files _are_ an issue. Otherwise that thread won'thave>>>>>> been opened of >>>>>> course : ) >>>>>> >>>>>> Regarding how we decided to workaround almost >>>>>> definitively with that was >>>>>> to >>>>>> give every users and groups in AD some xID, alsothose>>>>>> in CN=Builtin and >>>>>> CN=Users. We also cleaned our idmap.ldb to keepinside>>>>>> only special users >>>>>> / >>>>>> groups (as "local system" / S-1-5-18, "guests" / >>>>>> S-1-5-32-546...). >>>>>> We also add some rsync to keep idmap.ldb synchronized >>>>>> on all our DC, for >>>>>> these special items have same mapped xID in case they >>>>>> are used (and so >>>>>> mapped). >>>>>> >>>>>> Doing that id mapper has no reason to define byitself>>>>>> some xID to users >>>>>> and groups contained into AD as they already havesome>>>>>> xID. >>>>>> >>>>>> Until now it seems to work fine... >>>>>> >>>>>> >>>>>> 2016-06-22 15:09 GMT+02:00 lingpanda101 at gmail.com >>>>>> <mailto:lingpanda101 at gmail.com> >>>>>> <lingpanda101 at gmail.com <mailto:lingpanda101 at gmail.com>>:>>>>>> >>>>>> On 6/22/2016 8:53 AM, mj wrote: >>>>>> >>>>>> >>>>>> On 06/22/2016 02:44 PM,lingpanda101 at gmail.com>>>>>> <mailto:lingpanda101 at gmail.com> wrote: >>>>>> >>>>>> Why is is when I do a getfacl I do notsee>>>>>> the mapping of BUILTIN >>>>>> >>>>>> like >>>>>> >>>>>> others? >>>>>> >>>>>> do you have winbind in /etc/nsswitch.conf? >>>>>> >>>>>> mj >>>>>> >>>>>> >>>>>> I also thought winbind was only necessary on >>>>>> member servers. >>>>>> >>>>>> -- >>>>>> -James >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following >>>>>> URL and read the >>>>>> instructions: >>>>>> https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL >>>>>> and read the >>>>>> instructions: >>>>>> https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and >>>>>> read the >>>>>> instructions:https://lists.samba.org/mailman/options/samba>>>>>> >>>>>> >>>>>> If I assign every user a UID and select groups a GID by utilizing >>>>>> rfc2307 on my DC's. Would I still benefit from keeping idmap.ldb >>>>>> synchronized? I'm thinking XID's are obsolete at that point? >>>>>> >>>>>> >>>>>> Only users and groups in AD will avoid id mapper by that workaround.But there are others accounts ("local system", "guest", "local administrator"...) all these accounts exist on MS Windows clients, and so they can all do stuff on Sysvol and so they can all go through id mapper.>>>>>> >>>>>> So no. There no way (for me at least :) to totally avoid id mapperand so you should keep idmap.ldb synched.>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- -James >>>>>> >>>>>> >>>>>> -- To unsubscribe from this list go to the following URL andread the>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>>> >>>>> I'm in the process now of creating a script to sync idmap.ldb. Doesanyone have one at the moment? Is it best practice to stop samba before replacing idmap.ldb on the additional DC's? My script will currently watch for any idmap.ldb changes and create a hot backup if a change is detected. It will then send to the other DC's via rsync. I'm thinking starting and stopping samba isn't ideal during production hours.>>>>> >>>> >>>> If you are running Samba >= 4.2.0 with the separate 'winbindd' binary,there is no reason to sync idmap.ldb. Syncing idmap was/is only required if you use 'winbind' that is built into the 'samba' binary.>>>> >>>> Rowland >>>> >>>> >>> Hello Rowland, >>> >>> If you take an look on your sysvol rights there are two still unresovedgroups SECURITY\Local System and SECURITY\Autheticated Users. These show up with gid's from idmap.ldb in the acl list and therefore can not be mapped during rsync. So at least these two groups need idntical mapping on all dc's. It is however not neccessary to keep idmap in sync as long as no ther security groups are used.>>> >>> achim~ >>> >> To be more specific the groups belongig to "WellKnown SecurityPrincipals" are not mapped. I called them security groups above.>> See here for an list: >>https://technet.microsoft.com/en-us/library/dn617202(v=ws.11).aspx#BKMK_AuthenticatedUser>> > > I know all of the above, and you seem to be using fixes that had to beused with a Samba 4 AD DC that used the 'winbind' part of the 'samba' binary.> > When Samba 4.2.0 came out, 'winbind' was replaced with the separate'winbindd' binary (the same one used on a domain member). This means that, even though an AD object may be mapped to a number, the DC knows what AD object that is.> > This means you do not need to sync idmap.ldb between DCs if you use Samba >= 4.2.0 with the separate 'winbindd' binary.What you wrote sounds very strange to me as we use 4.4.4, we do not specify explicitly Samba to use winbind in place of winbindd, and we had to keep idmap.ldb synced. Or at least we had issues until we synced it.> > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba