thr3ads.net - samba - [Samba] Sysvol permission issue - how to repair permanently? [Apr 2021]

If this information is useful, please help other people find it:
Share via:

Stefan Bellon

2021-Apr-05 11:55 UTC

[Samba] Sysvol permission issue - how to repair permanently?

On Sun, 04 Apr, Stefan Bellon via samba wrote:
> Then I'll try it tomorrow or the day after. Thanks a lot so far!
Ok, sadly, removing "idmap_ldb:use rfc2307 = yes" did not help.

I dug a bit deeper ... let's try whether I understood the problem right:

root at dc1:~# ldbsearch -H /var/lib/samba/private/idmap.ldb
'(xidNumber=100)'
# record 1
dn: CN=S-1-5-21-37643267-2172530850-1818422998-513
cn: S-1-5-21-37643267-2172530850-1818422998-513
objectClass: sidMap
objectSid: S-1-5-21-37643267-2172530850-1818422998-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-37643267-2172530850-1818422998-513

# returned 1 records
# 1 entries
# 0 referrals

root at dc1:~# wbinfo --sid-to-name=S-1-5-21-37643267-2172530850-1818422998-513
DS\Domain Users 2

root at dc1:~# grep :100: /etc/group
users:x:100:

root at dc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
'(cn=developers)' cn gidNumber
# record 1
dn: CN=developers,CN=Users,DC=xxx
cn: developers
gidNumber: 100

# Referral
ref: ldap://ds.axivion.com/CN=Configuration,DC=xxx

# Referral
ref: ldap://ds.axivion.com/DC=DomainDnsZones,DC=xxx

# Referral
ref: ldap://ds.axivion.com/DC=ForestDnsZones,DC=xxx

# returned 4 records
# 1 entries
# 3 referrals


So, SID S-1-5-21-37643267-2172530850-1818422998-513 is "Domain Users"
and has the xidNumber 100 attribute attached (via idmap.ldb).

On the other hand, AD group "developers" also maps to gidNumber 100
(via sam.ldb).

And this is the conflict here?

If that is a correct understanding ... wouldn't one of the following
two ways help to remove the conflict?

1) I could remove the attribute gidNumber from our AD group
"developers"
(via sam.ldb). the individual users would still have the gidNumber
attribute set to 100 and nslcd would assign those users gid 100 and
group "users" on the Linux side while in AD the group
"developers"
would not be connected to GID 100 any more?

2) Or, a second way to break the conflict: Change (via idmap.ldb) the
xidNumber of "Domain Users" from 100 to something like 3000100?

Does this sound reasonable? And - would it work? ;-)

Greetings,
Stefan

-- 
Stefan Bellon

Rowland penny

2021-Apr-05 12:12 UTC

head link

[Samba] Sysvol permission issue - how to repair permanently?

On 05/04/2021 12:55, Stefan Bellon via samba wrote:> On Sun, 04 Apr, Stefan Bellon via samba wrote:
>
>> Then I'll try it tomorrow or the day after. Thanks a lot so far!
> Ok, sadly, removing "idmap_ldb:use rfc2307 = yes" did not help.
>
> I dug a bit deeper ... let's try whether I understood the problem
right:
>
> root at dc1:~# ldbsearch -H /var/lib/samba/private/idmap.ldb
'(xidNumber=100)'
> # record 1
> dn: CN=S-1-5-21-37643267-2172530850-1818422998-513
> cn: S-1-5-21-37643267-2172530850-1818422998-513
> objectClass: sidMap
> objectSid: S-1-5-21-37643267-2172530850-1818422998-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-37643267-2172530850-1818422998-513

That is correct.
> root at dc1:~# wbinfo
--sid-to-name=S-1-5-21-37643267-2172530850-1818422998-513
> DS\Domain Users 2

Again that is correct.
>
> root at dc1:~# grep :100: /etc/group
> users:x:100:

Again that is correct.
>
> root at dc1:~# ldbsearch -H /var/lib/samba/private/sam.ldb
'(cn=developers)' cn gidNumber
> # record 1
> dn: CN=developers,CN=Users,DC=xxx
> cn: developers
> gidNumber: 100

And that is one of your problems, you have two groups in AD that map to 
the Unix ID '100'.
>
>
>
>
> So, SID S-1-5-21-37643267-2172530850-1818422998-513 is "Domain
Users"
> and has the xidNumber 100 attribute attached (via idmap.ldb).
>
> On the other hand, AD group "developers" also maps to gidNumber
100
> (via sam.ldb).
>
> And this is the conflict here?

Oh yes, that is a conflict if there ever was one.
>
> If that is a correct understanding ... wouldn't one of the following
> two ways help to remove the conflict?
>
> 1) I could remove the attribute gidNumber from our AD group
"developers"
> (via sam.ldb). the individual users would still have the gidNumber
> attribute set to 100 and nslcd would assign those users gid 100 and
> group "users" on the Linux side while in AD the group
"developers"
> would not be connected to GID 100 any more?

You would also have to run 'net cache flush', but that would get 
everything back to where it should be, but anything belonging to 
developers would probably belong to 'users' after the change.
>
> 2) Or, a second way to break the conflict: Change (via idmap.ldb) the
> xidNumber of "Domain Users" from 100 to something like 3000100?

That would fix it on the AD side, but developers would be mapped to the 
Unix group 'users', I would prefer option 1

Rowland

samba - Apr 2021 - Sysvol permission issue - how to repair permanently?

[Samba] Sysvol permission issue - how to repair permanently?

[Samba] Sysvol permission issue - how to repair permanently?