Am 2/5/21 um 11:54 AM schrieb Thomas Geppert via samba:> I've installed and provisioned a Samba ADDC in an unprivileged Linux > container. The details can be found in my post "Samba AD DC in an > unprivileged lxc revisited"....which was a f?abbergasting read! Well done, albeit I fear there are still some problem due to the idmapping issue you're seeing.> The ADDC seems to work properly but there is one detail that still bothers > me. In the output of samba-tool were the following warnings: > INFO 2021-02-02 19:51:42,853 pid:942 > /usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py > #1592: Setting up self join > Repacking database from v1 to v2 format (first record > CN=dhcp-Properties,CN=Schema,CN=Configuration,DC=....,DC=....,DC=....) > Repack: re-packed 10000 records so far > Repacking database from v1 to v2 format (first record > CN=mSMQMigratedUser-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC> ....,DC=....,DC=....) > Repacking database from v1 to v2 format (first record > CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP > Security,CN=System,DC=.....,DC=....,DC=....)map_smb4_to_nfs4_id: Unknown gid > [30000] > map_smb4_to_nfs4_id: Unknown gid [30001] > map_smb4_to_nfs4_id: Unknown gid [30002] > .... > map_smb4_to_nfs4_id: Unknown gid [30003] > map_smb4_to_nfs4_id: Unknown gid [30007] > INFO 2021-02-02 19:51:45,498 pid:942 > /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py > #1143: Adding DNS accounts > INFO 2021-02-02 19:51:45,517 pid:942 > /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py > #1177: Creating > CN=MicrosoftDNS,CN=System,DC=....,DC=....,DC=.... > > Can someone shed a light on what's causing these "Unknown gid" messages and > what it could mean for the operation of the ADDC ?the module does a getgrgid() call on those ids and apparently nsswitch doesn't know about those ids. Do you have winbind in nsswitch.conf? Fwiw, I have no idea if that is sensible on an AD DC... :) Having said that, when the mapping fails the full NT ACL will not be stored correctly, so this likely means your AD DC setup is screwed. What does samba-tool ntacl sysvolcheck/sysvolreset have to say on this? Cheers! -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210205/be6b55a2/OpenPGP_signature.sig>
On 05/02/2021 11:06, Ralph Boehme via samba wrote:> Am 2/5/21 um 11:54 AM schrieb Thomas Geppert via samba: >> I've installed and provisioned a Samba ADDC in an unprivileged Linux >> container. The details can be found in my post "Samba AD DC in an >> unprivileged lxc revisited". > > ...which was a f?abbergasting read! Well done, albeit I fear there are > still some problem due to the idmapping issue you're seeing. > >> The ADDC seems to work properly but there is one detail that still >> bothers >> me. In the output of samba-tool were the following warnings: >> INFO 2021-02-02 19:51:42,853 pid:942 >> /usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py >> #1592: Setting up self join >> Repacking database from v1 to v2 format (first record >> CN=dhcp-Properties,CN=Schema,CN=Configuration,DC=....,DC=....,DC=....) >> Repack: re-packed 10000 records so far >> Repacking database from v1 to v2 format (first record >> CN=mSMQMigratedUser-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC= >> >> ....,DC=....,DC=....) >> Repacking database from v1 to v2 format (first record >> CN=ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000},CN=IP >> Security,CN=System,DC=.....,DC=....,DC=....)map_smb4_to_nfs4_id: >> Unknown gid >> [30000] >> map_smb4_to_nfs4_id: Unknown gid [30001] >> map_smb4_to_nfs4_id: Unknown gid [30002] >> .... >> map_smb4_to_nfs4_id: Unknown gid [30003] >> map_smb4_to_nfs4_id: Unknown gid [30007] >> INFO 2021-02-02 19:51:45,498 pid:942 >> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py >> #1143: Adding DNS accounts >> INFO 2021-02-02 19:51:45,517 pid:942 >> /usr/local/samba/lib/python3.7/site-packages/samba/provision/sambadns.py >> #1177: Creating >> CN=MicrosoftDNS,CN=System,DC=....,DC=....,DC=.... >> >> Can someone shed a light on what's causing these "Unknown gid" >> messages and >> what it could mean for the operation of the ADDC ? > > the module does a getgrgid() call on those ids and apparently nsswitch > doesn't know about those ids. Do you have winbind in nsswitch.conf? > Fwiw, I have no idea if that is sensible on an AD DC... :)Whilst it isn't recommended to use a DC for other than authentication, you can set winbind in the passwd & group lines in /etc/nsswitch. However these numbers are appearing during a provision and surely at this point all the ID numbers are in the '3000000' range, so where are the '30000' numbers coming from ? Rowland
Thank you guys for looking at this. On 05/02/2021 11:39, Rowland penny via samba wrote:> However these numbers are appearing during a provision and surely at > this point all the ID numbers are in the '3000000' range, so where are > the '30000' numbers coming from ?Sorry, I didn't tell the whole story. To fit the uids and gids into the default mapping range of an unprivileged container I also had to set lowerBound: 30000 upperBound: 65533 in idmap_init.ldif I didn't want to enlarge the allowed mapping range for the Linux container because I wont have that many uids and gids. On 05/02/2021 11:06, Ralph Boehme via samba wrote:> the module does a getgrgid() call on those ids and apparently nsswitch doesn't know about those ids. Do you have winbind in nsswitch.conf? > Fwiw, I have no idea if that is sensible on an AD DC... :) > > Having said that, when the mapping fails the full NT ACL will not be stored correctly, so this likely means your AD DC setup is screwed. What does samba-tool ntacl sysvolcheck/sysvolreset have to say on this?"samba-tool ntacl sysvolcheck" did throw an exception: ERROR(<class 'TypeError'>): uncaught exception - (61, 'No data available') File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py", line 446, in run lp) File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line 1885, in checksysvolacl fsacl = getntacl(lp, dir_path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/local/samba/lib/python3.7/site-packages/samba/ntacls.py", line 121, in getntacl xattr.XATTR_NTACL_NAME) and "samba-tool ntacl sysvolreset" issued the same "Unknown gid" warnings as the provisioning script. However, after adding winbind to the passwd and group entries in /etc/nsswitch.conf the sysvolreset completes without any messages but the sysvolcheck is still not happy and throws the exception. The error message seems to indicate that it's expecting to find a NTACL where there is none. Any idea why ? ----------- Thomas
On 05/02/2021 14:07, Rowland penny via samba wrote:>> The provisioning and the nfs options given in the provisioning, thats the pain point. > They are the way the OP is trying to get something that shouldn't work, to work.GUILTY ! I have to confess. However, I must say that I don't understand why it shouldn't work. I'm relatively new to Samba but my understanding is that both vfs modules, acl_xattr and nfs4acl, are perfectly capable of storing NTACLs lossless. Nevertheless, using the nfs4acl vfs module does not provide the same functionality as using the acl_xattr vfs module. I did some research but without the background of 30 years of development that went into the product I'm a little bit lost at some points. - Why are POSIX ACLs required at all during provisioning when NTACLs are available ? - Why does the nfs4acl module intentionally mask the POSIX ACL calls and doesn't pass them down the stack or implement them the same way as the acl_xattr module ? Thanks ------------------- Thomas