UID/GID -> SID -> NAME mapping across multiple DCs

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
This isn't necessarily an issue (I don't think) but more so a curiosity.

How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4 across
multiple DCs?

I set up my DCs using Louis' how tos (
https://github.com/thctlo/samba4/tree/master/howtos).

All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes"

My policies folder under \sysvol\domainname\  has permissions of

# file: Policies/
# owner: root
# group: 3000000
user::rwx
group::r-x
other::r-x

and the folders below the policies folder have permissions like this

393060 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{3010F9BE-44ED-474B-B1A4-97126DF3D2B2}
393073 drwxrwx---+ 4 3000008 3000008  4096 Dec 12 09:26
{31B2F340-016D-11D2-945F-00C04FB984F9}
393084 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{6AC1786C-016F-11D2-945F-00C04FB984F9}
393093 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{9BDC0BE2-5A5E-411F-81E5-6450803FA20D}
393100 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{9FCBF966-79B8-4E1B-9E96-EE950FD00731}
393108 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{F175AAA1-AA6D-4A0F-BD42-9321BAA3061E}
393006 drwxr-xr-x  3 3000000 users   12288 Dec 12 09:26 PolicyDefinitions

I have three DCs, dc1, dc2 and dc3

I ran some wbinfo's on all my DCs to check if the UIDs lined up with the
same SIDs on each DC, and the results were confusing.

DC1======------
root@dc1 /# wbinfo -U 3000000
S-1-5-32-544
root@dc1 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root@dc1 /# wbinfo -G 3000000
S-1-5-32-544
root@dc1 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root@dc1 /# wbinfo -U 3000008
S-1-5-21-2360315722-3846793618-1593657947-572
root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
TCSBASYS\Denied RODC Password Replication Group 4
root@dc1 /# wbinfo -G 3000008
S-1-5-21-2360315722-3846793618-1593657947-572
root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
TCSBASYS\Denied RODC Password Replication Group 4

DC2======------
root@dc2 /# wbinfo -U 3000000
S-1-5-32-544
root@dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root@dc2 /# wbinfo -G 3000000
S-1-5-32-544
root@dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root@dc2 /# wbinfo -U 3000008
S-1-5-21-2360315722-3846793618-1593657947-512
root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
TCSBASYS\Domain Admins 2
root@dc2 /# wbinfo -G 3000008
S-1-5-21-2360315722-3846793618-1593657947-512
root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
TCSBASYS\Domain Admins 2


DC3======------
root@dc2 /# wbinfo -U 3000000
S-1-5-32-544
root@dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root@dc2 /# wbinfo -G 3000000
S-1-5-32-544
root@dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root@dc3 /# wbinfo -U 3000008
S-1-5-64-10
root@dc3 /# wbinfo -s S-1-5-64-10
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-64-10
root@dc3 /# wbinfo -G 3000008
S-1-5-64-10
root@dc3 /# wbinfo -s S-1-5-64-10
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-64-10


Any help/insight you can provide would be greatly appreciated!

Thanks and have a super Friday!

--
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
On Fri, 15 Dec 2017 11:09:38 -0600
Taylor Hammerling via samba <[hidden email]> wrote:

> This isn't necessarily an issue (I don't think) but more so a
> curiosity.
>
> How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4
> across multiple DCs?
>
> I set up my DCs using Louis' how tos (
> https://github.com/thctlo/samba4/tree/master/howtos).
>
> All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes"
>
> My policies folder under \sysvol\domainname\  has permissions of
>
> # file: Policies/
> # owner: root
> # group: 3000000
> user::rwx
> group::r-x
> other::r-x
>
> and the folders below the policies folder have permissions like this
>
> 393060 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {3010F9BE-44ED-474B-B1A4-97126DF3D2B2}
> 393073 drwxrwx---+ 4 3000008 3000008  4096 Dec 12 09:26
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> 393084 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> 393093 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {9BDC0BE2-5A5E-411F-81E5-6450803FA20D}
> 393100 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {9FCBF966-79B8-4E1B-9E96-EE950FD00731}
> 393108 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E}
> 393006 drwxr-xr-x  3 3000000 users   12288 Dec 12 09:26
> PolicyDefinitions
>
> I have three DCs, dc1, dc2 and dc3
>
> I ran some wbinfo's on all my DCs to check if the UIDs lined up with
> the same SIDs on each DC, and the results were confusing.
>
> DC1======------
> root@dc1 /# wbinfo -U 3000000
> S-1-5-32-544
> root@dc1 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc1 /# wbinfo -G 3000000
> S-1-5-32-544
> root@dc1 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc1 /# wbinfo -U 3000008
> S-1-5-21-2360315722-3846793618-1593657947-572
> root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> TCSBASYS\Denied RODC Password Replication Group 4
> root@dc1 /# wbinfo -G 3000008
> S-1-5-21-2360315722-3846793618-1593657947-572
> root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> TCSBASYS\Denied RODC Password Replication Group 4
>
> DC2======------
> root@dc2 /# wbinfo -U 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc2 /# wbinfo -G 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc2 /# wbinfo -U 3000008
> S-1-5-21-2360315722-3846793618-1593657947-512
> root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> TCSBASYS\Domain Admins 2
> root@dc2 /# wbinfo -G 3000008
> S-1-5-21-2360315722-3846793618-1593657947-512
> root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> TCSBASYS\Domain Admins 2
>
>
> DC3======------
> root@dc2 /# wbinfo -U 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc2 /# wbinfo -G 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc3 /# wbinfo -U 3000008
> S-1-5-64-10
> root@dc3 /# wbinfo -s S-1-5-64-10
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-64-10
> root@dc3 /# wbinfo -G 3000008
> S-1-5-64-10
> root@dc3 /# wbinfo -s S-1-5-64-10
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-64-10
>
>
> Any help/insight you can provide would be greatly appreciated!
>
> Thanks and have a super Friday!
>

Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-)
I take it you have synced sysvol between the three DCs, you now need to
sync idmap.ldb from the first DC to the other two. The IDs are
allocated on a first come basis, so you are likely to get the IDs
allocated to different groups etc, in your case '3000008' has been
given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM
Authentication' and it should 'Domain Admins' as on the other two.

Rowland

and

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
Interesting... How do I go about getting them/keeping them in sync?

On Fri, Dec 15, 2017 at 11:47 AM, Rowland Penny via samba <
[hidden email]> wrote:

> On Fri, 15 Dec 2017 11:09:38 -0600
> Taylor Hammerling via samba <[hidden email]> wrote:
>
> > This isn't necessarily an issue (I don't think) but more so a
> > curiosity.
> >
> > How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4
> > across multiple DCs?
> >
> > I set up my DCs using Louis' how tos (
> > https://github.com/thctlo/samba4/tree/master/howtos).
> >
> > All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes"
> >
> > My policies folder under \sysvol\domainname\  has permissions of
> >
> > # file: Policies/
> > # owner: root
> > # group: 3000000
> > user::rwx
> > group::r-x
> > other::r-x
> >
> > and the folders below the policies folder have permissions like this
> >
> > 393060 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {3010F9BE-44ED-474B-B1A4-97126DF3D2B2}
> > 393073 drwxrwx---+ 4 3000008 3000008  4096 Dec 12 09:26
> > {31B2F340-016D-11D2-945F-00C04FB984F9}
> > 393084 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {6AC1786C-016F-11D2-945F-00C04FB984F9}
> > 393093 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {9BDC0BE2-5A5E-411F-81E5-6450803FA20D}
> > 393100 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {9FCBF966-79B8-4E1B-9E96-EE950FD00731}
> > 393108 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E}
> > 393006 drwxr-xr-x  3 3000000 users   12288 Dec 12 09:26
> > PolicyDefinitions
> >
> > I have three DCs, dc1, dc2 and dc3
> >
> > I ran some wbinfo's on all my DCs to check if the UIDs lined up with
> > the same SIDs on each DC, and the results were confusing.
> >
> > DC1======------
> > root@dc1 /# wbinfo -U 3000000
> > S-1-5-32-544
> > root@dc1 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root@dc1 /# wbinfo -G 3000000
> > S-1-5-32-544
> > root@dc1 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root@dc1 /# wbinfo -U 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-572
> > root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> > TCSBASYS\Denied RODC Password Replication Group 4
> > root@dc1 /# wbinfo -G 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-572
> > root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> > TCSBASYS\Denied RODC Password Replication Group 4
> >
> > DC2======------
> > root@dc2 /# wbinfo -U 3000000
> > S-1-5-32-544
> > root@dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root@dc2 /# wbinfo -G 3000000
> > S-1-5-32-544
> > root@dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root@dc2 /# wbinfo -U 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-512
> > root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> > TCSBASYS\Domain Admins 2
> > root@dc2 /# wbinfo -G 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-512
> > root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> > TCSBASYS\Domain Admins 2
> >
> >
> > DC3======------
> > root@dc2 /# wbinfo -U 3000000
> > S-1-5-32-544
> > root@dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root@dc2 /# wbinfo -G 3000000
> > S-1-5-32-544
> > root@dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root@dc3 /# wbinfo -U 3000008
> > S-1-5-64-10
> > root@dc3 /# wbinfo -s S-1-5-64-10
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-64-10
> > root@dc3 /# wbinfo -G 3000008
> > S-1-5-64-10
> > root@dc3 /# wbinfo -s S-1-5-64-10
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-64-10
> >
> >
> > Any help/insight you can provide would be greatly appreciated!
> >
> > Thanks and have a super Friday!
> >
>
> Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-)
> I take it you have synced sysvol between the three DCs, you now need to
> sync idmap.ldb from the first DC to the other two. The IDs are
> allocated on a first come basis, so you are likely to get the IDs
> allocated to different groups etc, in your case '3000008' has been
> given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM
> Authentication' and it should 'Domain Admins' as on the other two.
>
> Rowland
>
> and
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
On Fri, 15 Dec 2017 11:56:25 -0600
Taylor Hammerling <[hidden email]> wrote:

> Interesting... How do I go about getting them/keeping them in sync?
>

see here:

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_Groups_GID_Mappings

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
Danke!

On Fri, Dec 15, 2017 at 1:03 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Fri, 15 Dec 2017 11:56:25 -0600
> Taylor Hammerling <[hidden email]> wrote:
>
> > Interesting... How do I go about getting them/keeping them in sync?
> >
>
> see here:
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_
> Existing_Active_Directory#Built-in_Groups_GID_Mappings
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
ok, I followed the directions on that wikipage, made a hot backup, copied
the hot backup over to the new DC, renamed the hot backup (thus replacing
the existing idmap.ldb) and ran "samba-tool ntacl sysvolreset" and it spat
out the following after a minute or 2 of thinking...

root@dc1 samba/private# samba-tool ntacl sysvolreset
open: error=2 (No such file or directory)
ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The
requested operation was unsuccessful.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239,
in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1609, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1514, in set_gpos_acl
    passdb=passdb)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1477, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP |
security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
root@dc1 samba/private#


Please note, DC2 is the DC that has the correct GID mappings, DC1 does not,
so I'm copying from DC2 to DC1.

On Fri, Dec 15, 2017 at 1:08 PM, Taylor Hammerling <[hidden email]
> wrote:

> Danke!
>
> On Fri, Dec 15, 2017 at 1:03 PM, Rowland Penny via samba <
> [hidden email]> wrote:
>
>> On Fri, 15 Dec 2017 11:56:25 -0600
>> Taylor Hammerling <[hidden email]> wrote:
>>
>> > Interesting... How do I go about getting them/keeping them in sync?
>> >
>>
>> see here:
>>
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Ex
>> isting_Active_Directory#Built-in_Groups_GID_Mappings
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> *Taylor Hammerling* |  *IT Manager*
> 2800 Laura Lane | Middleton, WI 53562
> *O *(608) 669-9070 *| C *(608) 512-7849
> tcsbasys.com | ubiquistat.com
>



--
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
Apologies, despite that error, the permissions now look good on the sysvol
folder.

Is there anything I need to do moving forward to keep my DCs idmap.ldbs in
sync?  or is this a one time thing?

On Fri, Dec 15, 2017 at 1:16 PM, Taylor Hammerling <[hidden email]
> wrote:

> ok, I followed the directions on that wikipage, made a hot backup, copied
> the hot backup over to the new DC, renamed the hot backup (thus replacing
> the existing idmap.ldb) and ran "samba-tool ntacl sysvolreset" and it spat
> out the following after a minute or 2 of thinking...
>
> root@dc1 samba/private# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation Failed} The
> requested operation was unsuccessful.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1609, in setsysvolacl
>     set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> use_ntvfs, passdb=s4_passdb)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1514, in set_gpos_acl
>     passdb=passdb)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> line 1477, in set_dir_acl
>     setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
> skip_invalid_chown=True, passdb=passdb, service=service)
>   File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl
>     smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP
> | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
> root@dc1 samba/private#
>
>
> Please note, DC2 is the DC that has the correct GID mappings, DC1 does
> not, so I'm copying from DC2 to DC1.
>
> On Fri, Dec 15, 2017 at 1:08 PM, Taylor Hammerling <
> [hidden email]> wrote:
>
>> Danke!
>>
>> On Fri, Dec 15, 2017 at 1:03 PM, Rowland Penny via samba <
>> [hidden email]> wrote:
>>
>>> On Fri, 15 Dec 2017 11:56:25 -0600
>>> Taylor Hammerling <[hidden email]> wrote:
>>>
>>> > Interesting... How do I go about getting them/keeping them in sync?
>>> >
>>>
>>> see here:
>>>
>>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Ex
>>> isting_Active_Directory#Built-in_Groups_GID_Mappings
>>>
>>> Rowland
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>>
>>
>> --
>> *Taylor Hammerling* |  *IT Manager*
>> 2800 Laura Lane | Middleton, WI 53562
>> *O *(608) 669-9070 *| C *(608) 512-7849
>> tcsbasys.com | ubiquistat.com
>>
>
>
>
> --
> *Taylor Hammerling* |  *IT Manager*
> 2800 Laura Lane | Middleton, WI 53562
> *O *(608) 669-9070 *| C *(608) 512-7849
> tcsbasys.com | ubiquistat.com
>



--
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 15 Dec 2017 13:16:51 -0600
Taylor Hammerling <[hidden email]> wrote:

> ok, I followed the directions on that wikipage, made a hot backup,
> copied the hot backup over to the new DC, renamed the hot backup
> (thus replacing the existing idmap.ldb) and ran "samba-tool ntacl
> sysvolreset" and it spat out the following after a minute or 2 of
> thinking...
>
> root@dc1 samba/private# samba-tool ntacl sysvolreset
> open: error=2 (No such file or directory)
> ERROR(runtime): uncaught exception - (-1073741823, '{Operation
> Failed} The requested operation was unsuccessful.')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> 239, in run
>     lp, use_ntvfs=use_ntvfs)
>   File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
>   File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1514, in set_gpos_acl passdb=passdb)
>   File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1477, in set_dir_acl setntacl(lp, path, acl, domsid,
> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=service) File
> "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service) root@dc1 samba/private#
>
>
> Please note, DC2 is the DC that has the correct GID mappings, DC1
> does not, so I'm copying from DC2 to DC1.
>

I now take it you haven't synced sysvol between the DCs, if you haven't
see here:

https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

If you have, check that all the sysvol directories contain the same
contents.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Fri, 15 Dec 2017 13:24:05 -0600
Taylor Hammerling <[hidden email]> wrote:

> Apologies, despite that error, the permissions now look good on the
> sysvol folder.
>
> Is there anything I need to do moving forward to keep my DCs
> idmap.ldbs in sync?  or is this a one time thing?
>

If you are using the DCs just for authentication, then it is usually
just a one time thing, but keep a watch out and if it does get out of
sync again, then you will need to sync idmap.ldb again.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: UID/GID -> SID -> NAME mapping across multiple DCs

Samba - General mailing list
In reply to this post by Samba - General mailing list
I hadn't seen that page, but I was working off of the first link listed on
that page.  Yes, my sysvols are being synced every 5 minutes.via a cronjob.

On Fri, Dec 15, 2017 at 1:28 PM, Rowland Penny via samba <
[hidden email]> wrote:

> On Fri, 15 Dec 2017 13:16:51 -0600
> Taylor Hammerling <[hidden email]> wrote:
>
> > ok, I followed the directions on that wikipage, made a hot backup,
> > copied the hot backup over to the new DC, renamed the hot backup
> > (thus replacing the existing idmap.ldb) and ran "samba-tool ntacl
> > sysvolreset" and it spat out the following after a minute or 2 of
> > thinking...
> >
> > root@dc1 samba/private# samba-tool ntacl sysvolreset
> > open: error=2 (No such file or directory)
> > ERROR(runtime): uncaught exception - (-1073741823, '{Operation
> > Failed} The requested operation was unsuccessful.')
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> > line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
> > 239, in run
> >     lp, use_ntvfs=use_ntvfs)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> > 1609, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid,
> > domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> > 1514, in set_gpos_acl passdb=passdb)
> >   File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> > 1477, in set_dir_acl setntacl(lp, path, acl, domsid,
> > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> > service=service) File
> > "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in
> > setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER |
> > security.SECINFO_GROUP | security.SECINFO_DACL |
> > security.SECINFO_SACL, sd, service=service) root@dc1 samba/private#
> >
> >
> > Please note, DC2 is the DC that has the correct GID mappings, DC1
> > does not, so I'm copying from DC2 to DC1.
> >
>
> I now take it you haven't synced sysvol between the DCs, if you haven't
> see here:
>
> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>
> If you have, check that all the sysvol directories contain the same
> contents.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba