Web lists-archives.com

Re: [Samba] UID/GID -> SID -> NAME mapping across multiple DCs




On Fri, 15 Dec 2017 11:09:38 -0600
Taylor Hammerling via samba <samba@xxxxxxxxxxxxxxx> wrote:

> This isn't necessarily an issue (I don't think) but more so a
> curiosity.
> 
> How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4
> across multiple DCs?
> 
> I set up my DCs using Louis' how tos (
> https://github.com/thctlo/samba4/tree/master/howtos).
> 
> All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes"
> 
> My policies folder under \sysvol\domainname\  has permissions of
> 
> # file: Policies/
> # owner: root
> # group: 3000000
> user::rwx
> group::r-x
> other::r-x
> 
> and the folders below the policies folder have permissions like this
> 
> 393060 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {3010F9BE-44ED-474B-B1A4-97126DF3D2B2}
> 393073 drwxrwx---+ 4 3000008 3000008  4096 Dec 12 09:26
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> 393084 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
> 393093 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {9BDC0BE2-5A5E-411F-81E5-6450803FA20D}
> 393100 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {9FCBF966-79B8-4E1B-9E96-EE950FD00731}
> 393108 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E}
> 393006 drwxr-xr-x  3 3000000 users   12288 Dec 12 09:26
> PolicyDefinitions
> 
> I have three DCs, dc1, dc2 and dc3
> 
> I ran some wbinfo's on all my DCs to check if the UIDs lined up with
> the same SIDs on each DC, and the results were confusing.
> 
> DC1======------
> root@dc1 /# wbinfo -U 3000000
> S-1-5-32-544
> root@dc1 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc1 /# wbinfo -G 3000000
> S-1-5-32-544
> root@dc1 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc1 /# wbinfo -U 3000008
> S-1-5-21-2360315722-3846793618-1593657947-572
> root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> TCSBASYS\Denied RODC Password Replication Group 4
> root@dc1 /# wbinfo -G 3000008
> S-1-5-21-2360315722-3846793618-1593657947-572
> root@dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> TCSBASYS\Denied RODC Password Replication Group 4
> 
> DC2======------
> root@dc2 /# wbinfo -U 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc2 /# wbinfo -G 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc2 /# wbinfo -U 3000008
> S-1-5-21-2360315722-3846793618-1593657947-512
> root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> TCSBASYS\Domain Admins 2
> root@dc2 /# wbinfo -G 3000008
> S-1-5-21-2360315722-3846793618-1593657947-512
> root@dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> TCSBASYS\Domain Admins 2
> 
> 
> DC3======------
> root@dc2 /# wbinfo -U 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc2 /# wbinfo -G 3000000
> S-1-5-32-544
> root@dc2 /# wbinfo -s S-1-5-32-544
> BUILTIN\Administrators 4
> root@dc3 /# wbinfo -U 3000008
> S-1-5-64-10
> root@dc3 /# wbinfo -s S-1-5-64-10
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-64-10
> root@dc3 /# wbinfo -G 3000008
> S-1-5-64-10
> root@dc3 /# wbinfo -s S-1-5-64-10
> failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not lookup sid S-1-5-64-10
> 
> 
> Any help/insight you can provide would be greatly appreciated!
> 
> Thanks and have a super Friday!
> 

Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-)
I take it you have synced sysvol between the three DCs, you now need to
sync idmap.ldb from the first DC to the other two. The IDs are
allocated on a first come basis, so you are likely to get the IDs
allocated to different groups etc, in your case '3000008' has been
given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM
Authentication' and it should 'Domain Admins' as on the other two.

Rowland

and

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba