Strange ACL UID/GID issue with robocopy

k0n24d · November 16, 2017, 10:33am

Hi everybody,

I’m running some UCS servers in a mixed Windows AD - UCS domain. Plan is to do a domain takeover in the near futur. But for now I do have a strange ACL issue on the samba shares.

If I create files/folders or play with the ACL on the shares from a Windows client everything is working fine.
But if I mirror a share from a Windows server to one of the UCS servers using robocopy /MIR /COPYALL /ZB … I can’t access the shares one the UCS server anymore.
getfacl gives some strange things:

getfacl -n XXXXXXXX
# file: XXXXXXXX
# owner: 0
# group: 5001
user::rwx
user:0:rwx
group::---
group:5001:---
group:55003:rwx
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:group::---
default:group:5001:---
default:group:55003:rwx
default:mask::rwx
default:other::---

I’ve made a script that basically copies the ACL from the 55xxx to the 5yyy and removes the 55xxx ACLs (same for uid and gid 0 to Administrator / Domain Admins)

For me it look like samba is getting confused between the different user backends. Normal access to the share uses uids and gids I get from NSS (getent…), whereas robocopy /COPYALL seems to set the uid and gid from the internal samba / ldap mapping (at least the ids are in the range defined in smb.conf for the ldap backend).

Maybe this is due to the fact that all domain users get the POSIX account enabled by the AD replication ?

Moritz_Bunkus · December 11, 2017, 10:10am

Hey,

what exactly do you mean by “mixed mode”? Is the UCS server joined as a memberserver? Or is it using the AD Connector for account/group synchronization?

Kind regards,
mosu

k0n24d · December 11, 2017, 11:18am

We are currently running as a test for a future AD Takeover:

UCS Master : Active Directory Connection + Windows compatible Memberserver
UCS Slave (in remote location) : Windows compatible Memberserver
UCS Memberserver (this is the file server i’m making the file copies to) : Windows compatible Memberserver

Moritz_Bunkus · December 14, 2017, 1:58pm

Hey,

this is somewhat tricky. I’d like to compare the SIDs used by WIndows and the UCS DC Master for one of the users whose ACLs end up as strange UIDs on the Linux side. Can you please do the following:

On the Windows machine you’re running start a PowerShell. In the shell type the following: [wmi] "win32_userAccount.Domain='linet',Name='mbunkus'" Replace linet with your domain name and mbunkus with the user’s name whose ACLs get mangled.
On the UCS DC Master please run the following: univention-ldapsearch uid=mbunkus sambaSid Again, replace mbunkus with that user’s name.

Then post the output of both commands here.

Thanks.

Kind regards,
mosu