Univention Bugzilla – Bug 36566
idmap not initialized properly on RODC => sysvol permisions broken in domain
Last modified: 2020-07-03 20:52:41 CEST
In a new installation of UCS 4.0 with Samba/AD I discovered unresolvable POSIX IDs in the sysvol fACLs. This affected all DCs and RODCs in the domain. After running saba-tool ntacl sysvolreset the situation was fixed. # file: var/lib/samba/sysvol/ar40pt2.qa/Policies//{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE # owner: 3000004 # group: 3000004 user::rwx user:3000002:rwx user:3000003:r-x group::rwx group:3000004:rwx group:3000011:rwx group:3000013:r-x mask::rwx other::--- default:user::rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000004:rwx default:group::--- default:group:3000004:rwx default:group:3000011:rwx default:group:3000013:r-x default:mask::rwx default:other::-- Maybe it's due to the RODC, which still has these POSIX IDs in it's idmap.ldb: =========================================================================== root@rodc54:~# ldbsearch -H /var/lib/samba/private/idmap.ldb xidnumber=3000004 WARNING: No path in service IPC$ - making it unavailable! NOTE: Service IPC$ is flagged unavailable. # record 1 dn: CN=S-1-5-32-545 cn: S-1-5-32-545 objectClass: sidMap objectSid: S-1-5-32-545 type: ID_TYPE_BOTH xidNumber: 3000004 distinguishedName: CN=S-1-5-32-545 =========================================================================== My current guess is, that we need to adjust the RODC cas in the univention-samba4 joinscript to also run /usr/lib/univention-directory-listener/system/samba4-idmap.py --direct-resync 2>/dev/null which is missing currently. After running it manually the idmap seems to be updated properly. At least we should also fix this here.
Created attachment 6347 [details] RODC_idmap_and_sysvol.patch
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.