during a migration ucs4 samba3 - to samba4 ad, we had some messages about missing idmap settings for domain * in the logfile:
idmap range not specified for domain '*'
The migration itself seems to finish successful. The problem is, that files, created by a Windows User on a Windows PC do all have the id 3000000, instead of the users name. Trying to figure out what happens, it seems that only users in the Builtin Group “Domain Admins” are affected.
What is the needed setting for samba/idmap/range?
In our configuration this ucs variable is empty.
Posix-IDs in the 3000000 region are assigned by Samba/AD on the fly whenever a file is written with ACLs that refer to an account (user or group) for which it cannot find an “official” Posix-ID in its idmap database. For regular uses this should not happen. I would recommend to check the output of the following two commands to confirm that the SIDs are the same in OpenLDAP and Samba/AD:
If they are the same, which they should, you could check
univention-s4connector-list-rejected
to see if the S4-Connector had a problem synchronizing the account. That would be the first steps to assess the situation. Please make sure to anonymize all private info from the output before you post output to this public forum.
thank you very much for your message. The SIDs are equal as the should. There aren’t any rejects listed by the s4connector as well.
If I understand it correctly, there should be an object for the group “Domain Admins” in samba’s idmap database, right?
I see. However, you won’t be able to keep using your NT-style domain indefinitely, and problems such as this one make it all the more urgent.
I know for sure, that we have to migrate to samba4. Actually, with issues like that one here concerning idmap, it’s a bit more difficult to evaluate, if everything else still works, after migration %)
About your idmap issue: do the files have correct owners & groups at the moment? If so you could look into using getfacl before the migration for dumping the ACLs & owner information into a text file and using setfacl after the migration for restoring the owner. That might work as getfacl stores the user/group names instead of their numeric IDs. if the IDs change but the names stay stable during the migration, using the information from getfacl afterwards should work.
As far as I can see, the files have correct owners and groups right now. We could sight it when new files have been created, after the migration. It seems only files created by users in the domain admins group are affected. Well, I am afraid that there are some more files’n folders created by Users in that group, eg GPOs.
Then using the approach I’ve described might work:
Run cd /path/to/files; getfacl -R . > ~/acls.txt prior to the migration
Migrate
Run cd /path/to/files; setfacl --set-file ~/acls.txt afterwards
Check file ownership & permissions
Ideally you should test that in a separate installation, e.g. by cloning your existing server (hopefully it’s a virtual machine) into a lab/test network.
well, I deleted it the other day. 8-/ … I rebuilded it, and it’s exactly the same situation now. Newly created files from a user in the domain users group have the owner 300000.
root@ucsmaster:~# univention-s4connector-list-rejected
UCS rejected
S4 rejected
There may be no rejected DNs if the connector is in progress, to be
sure stop the connector before running this script.
last synced USN: 7858
ldbsearch -H /var/lib/samba/private/idmap.ldb CN=$(net getdomainsid | sed -e 's/.* //')-512
# record 1
dn: CN=S-1-5-21-677538019-1864647526-2656929208-512
cn: S-1-5-21-677538019-1864647526-2656929208-512
objectClass: sidMap
objectSid: S-1-5-21-677538019-1864647526-2656929208-512
type: ID_TYPE_GID
xidNumber: 5000
distinguishedName: CN=S-1-5-21-677538019-1864647526-2656929208-512
# returned 1 records
# 1 entries
# 0 referrals
Can you please search through the Samba 4 LDAP (univention-s4search --cross-ncs | less), the OpenLDAP (univention-ldapsearch | less), the idmap database (ldbsearch -H /var/lib/samba/private/idmap.ldb | less) and /etc/group and look for any other entries called domain admins?
A couple more questions so that I understand the effect correctly:
On a newly-created file, which one is set to 300000+ — the user ID or the group ID? Both?
Does it happen with all users in the group Domain Admins? Just one/a few?
I couldn’t find any other entries called “Domain Admins” in these databases.
It’s the user ID. The group ID looks fine. All users in the group “Domain Admins” are affected.
What surprises is the output of getfacl. The acls of the directory where the samba share is, looks like this:
root@ucsmaster:~# /usr/share/univention-directory-manager-tools/proof_uniqueMembers
Checking if users are member of their primary group...
Checked 198 posixAccounts, fixed 0 issues.
Checking if group-members exist...
Checked 200 posixGroups, fixed 0 issues.
Alright. Can you please post a screenshot of Windows Explorer showing the advanced ACL properties for one of those files where the owner is 300000 (right-click on it, “Properties”, “Security” tab, “Advanced”)?
Yes. Both univention-s4search and univention-ldapsearch bring an entry. If understand it correctly: When a group is a Windows Buildin Group it is not nessesary having this group in openldap, right? In other words, the group “domain admins” has objectlass called “sambaGroupType” wich the “administrators” group didn’t.
In Windows everything looks fine, i’d say.
