samba - Feb 2022 - Apply GPO in Windows from which DC?

On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba
wrote:
> 
> 
> 
> My GPO client is connecting to the full domain name for some reason, 
That is what it is supposed to do.
> this resolves to both DCs.
It should and if you add any further DC's, it would resolve to them as
well.
> I'm not testing access to sysvol on every DC, but I'm watching smbd
> logfiles on both DCs and see when the computer connects for the GPO
> update.
> The "permission denied" errors are a different story again. The
> UID/GID 
> numbers I see in the log line for the connecting computer are
> completely 
> strange. They are from the 3000000 range
As is expected, Samba DC's use 'xidNumber' attributes (to be found
in
idmap.ldb, not AD) and these start from '3000000', they can be
'ID_TYPE_BOTH', this means that they are both a user and a group.
There is one problem though, they are allocated on an 'as connected'
basis, this means that they can (and probably will be) different on
each DC. To fix this, you need to sync idmap from the DC with the
PDC_Emulator FSMO role to all other DC's
>  and when I resolve them with 
> wbinfo, they would be user groups(?) or can't be resolved at all.
> This 
> is the same strange behaviour on both DCs, although on one DC access
> is 
> OK, on the other it isn't. File system permissions on sysvol folder
> are 
> OK (when using getfacl) and comparing it to recommendations from 
> https://github.com/thctlo/samba4/blob/master/samba-check-set-sysvol.sh, 
> also when reading them from Windows.
This is probably an 'idmap.ldb' problem.

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 10 februari 2022 17:54
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Apply GPO in Windows from which DC?
> 
> On Thu, 2022-02-10 at 17:30 +0100, Matthias Leopold via samba wrote:
> > 
> > 
> > 
> > My GPO client is connecting to the full domain name for 
> some reason, 
> 
> That is what it is supposed to do.
> 
> > this resolves to both DCs.
> 
> It should and if you add any further DC's, it would resolve to them as
> well.
There where few samba releases that didnt add the extra DC's in NS, 
This "can" be a problem.. 

A simple check can be : dig NS $(hostname -d)
Are all the AD-DCs in that output? If not, fix it. 
> 
> > I'm not testing access to sysvol on every DC, but I'm watching
smbd
> > logfiles on both DCs and see when the computer connects for the GPO
> > update.
> > The "permission denied" errors are a different story again.
The
> > UID/GID 
> > numbers I see in the log line for the connecting computer are
> > completely 
> > strange. They are from the 3000000 range
> 
> As is expected, Samba DC's use 'xidNumber' attributes (to be
found in
> idmap.ldb, not AD) and these start from '3000000', they can be
> 'ID_TYPE_BOTH', this means that they are both a user and a group.
> There is one problem though, they are allocated on an 'as
connected'
> basis, this means that they can (and probably will be) different on
> each DC. To fix this, you need to sync idmap from the DC with the
> PDC_Emulator FSMO role to all other DC's
> 
> >  and when I resolve them with 
> > wbinfo, they would be user groups(?) or can't be resolved at all.
> > This 
> > is the same strange behaviour on both DCs, although on one DC access
> > is 
> > OK, on the other it isn't. File system permissions on sysvol
folder
> > are 
> > OK (when using getfacl) and comparing it to recommendations from 
> > 
> https://github.com/thctlo/samba4/blob/master/samba-check-set-s
> ysvol.sh, 
> > also when reading them from Windows.
> 
> This is probably an 'idmap.ldb' problem.
Yes, looks very much a missed copy of idmap.ldb.. 
@Matthias, dont forget to stop samba before you copy it. 

Greetz, 

Louis