Taylor Hammerling
2017-Dec-15 17:09 UTC
[Samba] UID/GID -> SID -> NAME mapping across multiple DCs
This isn't necessarily an issue (I don't think) but more so a curiosity. How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4 across multiple DCs? I set up my DCs using Louis' how tos ( https://github.com/thctlo/samba4/tree/master/howtos). All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes" My policies folder under \sysvol\domainname\ has permissions of # file: Policies/ # owner: root # group: 3000000 user::rwx group::r-x other::r-x and the folders below the policies folder have permissions like this 393060 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 {3010F9BE-44ED-474B-B1A4-97126DF3D2B2} 393073 drwxrwx---+ 4 3000008 3000008 4096 Dec 12 09:26 {31B2F340-016D-11D2-945F-00C04FB984F9} 393084 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 {6AC1786C-016F-11D2-945F-00C04FB984F9} 393093 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 {9BDC0BE2-5A5E-411F-81E5-6450803FA20D} 393100 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 {9FCBF966-79B8-4E1B-9E96-EE950FD00731} 393108 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E} 393006 drwxr-xr-x 3 3000000 users 12288 Dec 12 09:26 PolicyDefinitions I have three DCs, dc1, dc2 and dc3 I ran some wbinfo's on all my DCs to check if the UIDs lined up with the same SIDs on each DC, and the results were confusing. DC1======------ root at dc1 /# wbinfo -U 3000000 S-1-5-32-544 root at dc1 /# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 root at dc1 /# wbinfo -G 3000000 S-1-5-32-544 root at dc1 /# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 root at dc1 /# wbinfo -U 3000008 S-1-5-21-2360315722-3846793618-1593657947-572 root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 TCSBASYS\Denied RODC Password Replication Group 4 root at dc1 /# wbinfo -G 3000008 S-1-5-21-2360315722-3846793618-1593657947-572 root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 TCSBASYS\Denied RODC Password Replication Group 4 DC2======------ root at dc2 /# wbinfo -U 3000000 S-1-5-32-544 root at dc2 /# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 root at dc2 /# wbinfo -G 3000000 S-1-5-32-544 root at dc2 /# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 root at dc2 /# wbinfo -U 3000008 S-1-5-21-2360315722-3846793618-1593657947-512 root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 TCSBASYS\Domain Admins 2 root at dc2 /# wbinfo -G 3000008 S-1-5-21-2360315722-3846793618-1593657947-512 root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 TCSBASYS\Domain Admins 2 DC3======------ root at dc2 /# wbinfo -U 3000000 S-1-5-32-544 root at dc2 /# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 root at dc2 /# wbinfo -G 3000000 S-1-5-32-544 root at dc2 /# wbinfo -s S-1-5-32-544 BUILTIN\Administrators 4 root at dc3 /# wbinfo -U 3000008 S-1-5-64-10 root at dc3 /# wbinfo -s S-1-5-64-10 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-64-10 root at dc3 /# wbinfo -G 3000008 S-1-5-64-10 root at dc3 /# wbinfo -s S-1-5-64-10 failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid S-1-5-64-10 Any help/insight you can provide would be greatly appreciated! Thanks and have a super Friday! -- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
Rowland Penny
2017-Dec-15 17:47 UTC
[Samba] UID/GID -> SID -> NAME mapping across multiple DCs
On Fri, 15 Dec 2017 11:09:38 -0600 Taylor Hammerling via samba <samba at lists.samba.org> wrote:> This isn't necessarily an issue (I don't think) but more so a > curiosity. > > How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4 > across multiple DCs? > > I set up my DCs using Louis' how tos ( > https://github.com/thctlo/samba4/tree/master/howtos). > > All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes" > > My policies folder under \sysvol\domainname\ has permissions of > > # file: Policies/ > # owner: root > # group: 3000000 > user::rwx > group::r-x > other::r-x > > and the folders below the policies folder have permissions like this > > 393060 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > {3010F9BE-44ED-474B-B1A4-97126DF3D2B2} > 393073 drwxrwx---+ 4 3000008 3000008 4096 Dec 12 09:26 > {31B2F340-016D-11D2-945F-00C04FB984F9} > 393084 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > {6AC1786C-016F-11D2-945F-00C04FB984F9} > 393093 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > {9BDC0BE2-5A5E-411F-81E5-6450803FA20D} > 393100 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > {9FCBF966-79B8-4E1B-9E96-EE950FD00731} > 393108 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E} > 393006 drwxr-xr-x 3 3000000 users 12288 Dec 12 09:26 > PolicyDefinitions > > I have three DCs, dc1, dc2 and dc3 > > I ran some wbinfo's on all my DCs to check if the UIDs lined up with > the same SIDs on each DC, and the results were confusing. > > DC1======------ > root at dc1 /# wbinfo -U 3000000 > S-1-5-32-544 > root at dc1 /# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > root at dc1 /# wbinfo -G 3000000 > S-1-5-32-544 > root at dc1 /# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > root at dc1 /# wbinfo -U 3000008 > S-1-5-21-2360315722-3846793618-1593657947-572 > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 > TCSBASYS\Denied RODC Password Replication Group 4 > root at dc1 /# wbinfo -G 3000008 > S-1-5-21-2360315722-3846793618-1593657947-572 > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 > TCSBASYS\Denied RODC Password Replication Group 4 > > DC2======------ > root at dc2 /# wbinfo -U 3000000 > S-1-5-32-544 > root at dc2 /# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > root at dc2 /# wbinfo -G 3000000 > S-1-5-32-544 > root at dc2 /# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > root at dc2 /# wbinfo -U 3000008 > S-1-5-21-2360315722-3846793618-1593657947-512 > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 > TCSBASYS\Domain Admins 2 > root at dc2 /# wbinfo -G 3000008 > S-1-5-21-2360315722-3846793618-1593657947-512 > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 > TCSBASYS\Domain Admins 2 > > > DC3======------ > root at dc2 /# wbinfo -U 3000000 > S-1-5-32-544 > root at dc2 /# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > root at dc2 /# wbinfo -G 3000000 > S-1-5-32-544 > root at dc2 /# wbinfo -s S-1-5-32-544 > BUILTIN\Administrators 4 > root at dc3 /# wbinfo -U 3000008 > S-1-5-64-10 > root at dc3 /# wbinfo -s S-1-5-64-10 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-64-10 > root at dc3 /# wbinfo -G 3000008 > S-1-5-64-10 > root at dc3 /# wbinfo -s S-1-5-64-10 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-64-10 > > > Any help/insight you can provide would be greatly appreciated! > > Thanks and have a super Friday! >Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-) I take it you have synced sysvol between the three DCs, you now need to sync idmap.ldb from the first DC to the other two. The IDs are allocated on a first come basis, so you are likely to get the IDs allocated to different groups etc, in your case '3000008' has been given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM Authentication' and it should 'Domain Admins' as on the other two. Rowland and
Taylor Hammerling
2017-Dec-15 17:56 UTC
[Samba] UID/GID -> SID -> NAME mapping across multiple DCs
Interesting... How do I go about getting them/keeping them in sync? On Fri, Dec 15, 2017 at 11:47 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 15 Dec 2017 11:09:38 -0600 > Taylor Hammerling via samba <samba at lists.samba.org> wrote: > > > This isn't necessarily an issue (I don't think) but more so a > > curiosity. > > > > How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4 > > across multiple DCs? > > > > I set up my DCs using Louis' how tos ( > > https://github.com/thctlo/samba4/tree/master/howtos). > > > > All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes" > > > > My policies folder under \sysvol\domainname\ has permissions of > > > > # file: Policies/ > > # owner: root > > # group: 3000000 > > user::rwx > > group::r-x > > other::r-x > > > > and the folders below the policies folder have permissions like this > > > > 393060 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {3010F9BE-44ED-474B-B1A4-97126DF3D2B2} > > 393073 drwxrwx---+ 4 3000008 3000008 4096 Dec 12 09:26 > > {31B2F340-016D-11D2-945F-00C04FB984F9} > > 393084 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {6AC1786C-016F-11D2-945F-00C04FB984F9} > > 393093 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {9BDC0BE2-5A5E-411F-81E5-6450803FA20D} > > 393100 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {9FCBF966-79B8-4E1B-9E96-EE950FD00731} > > 393108 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E} > > 393006 drwxr-xr-x 3 3000000 users 12288 Dec 12 09:26 > > PolicyDefinitions > > > > I have three DCs, dc1, dc2 and dc3 > > > > I ran some wbinfo's on all my DCs to check if the UIDs lined up with > > the same SIDs on each DC, and the results were confusing. > > > > DC1======------ > > root at dc1 /# wbinfo -U 3000000 > > S-1-5-32-544 > > root at dc1 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc1 /# wbinfo -G 3000000 > > S-1-5-32-544 > > root at dc1 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc1 /# wbinfo -U 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-572 > > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 > > TCSBASYS\Denied RODC Password Replication Group 4 > > root at dc1 /# wbinfo -G 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-572 > > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 > > TCSBASYS\Denied RODC Password Replication Group 4 > > > > DC2======------ > > root at dc2 /# wbinfo -U 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc2 /# wbinfo -G 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc2 /# wbinfo -U 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-512 > > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 > > TCSBASYS\Domain Admins 2 > > root at dc2 /# wbinfo -G 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-512 > > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 > > TCSBASYS\Domain Admins 2 > > > > > > DC3======------ > > root at dc2 /# wbinfo -U 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc2 /# wbinfo -G 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc3 /# wbinfo -U 3000008 > > S-1-5-64-10 > > root at dc3 /# wbinfo -s S-1-5-64-10 > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup sid S-1-5-64-10 > > root at dc3 /# wbinfo -G 3000008 > > S-1-5-64-10 > > root at dc3 /# wbinfo -s S-1-5-64-10 > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup sid S-1-5-64-10 > > > > > > Any help/insight you can provide would be greatly appreciated! > > > > Thanks and have a super Friday! > > > > Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-) > I take it you have synced sysvol between the three DCs, you now need to > sync idmap.ldb from the first DC to the other two. The IDs are > allocated on a first come basis, so you are likely to get the IDs > allocated to different groups etc, in your case '3000008' has been > given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM > Authentication' and it should 'Domain Admins' as on the other two. > > Rowland > > and > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com