Scénario #27913
SETH DC : Conserver le même mapping RID - UID/GID entre tous les DC
Status:
Terminé (Sprint)
Priority:
Normal
Assigned To:
-
Category:
-
Target version:
Start date:
04/29/2019
Due date:
05/17/2019
% Done:
100%
Story points:
2.0
Remaining (hours):
0.00 hour
Velocity based estimate:
Description
Pb constaté¶
La réplication des SYSVOL se fait par le biais de la commande RSYNC avec préservation des ACL
rsync --rsh='ssh' \
--compress --verbose \
--acls --xattrs \
--archive --ignore-times \
--delete-after --force \
--stats root@${AD_DC_SYSVOL_REF}:/home/sysvol/ /home/sysvol/
Pour certains domaines AD en production, pour une raison pas encore expliquée, le mapping fini par diverger, ce qui provoque des anomalies.
La commande samba-tool ntacl sysvolcheck est en erreur :
samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file /home/sysvol/ddt053.ad.mayenne.rie.gouv.fr/Policies/{D0E64B98-92E4-4E7B-A2B1-0639B7287A04}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
domainsid, direct_db_access)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1631, in check_dir_acl
raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
Sur le DC primaire les ACL sysvol sont correctes :
getfacl sysvol # file: sysvol # owner: root # group: BUILTIN/administrators user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000592:r-x user:3000593:rwx group::rwx group:BUILTIN/administrators:rwx group:NT\040AUTHORITY/authenticated\040users:r-x group:BUILTIN/server\040operators:r-x group:NT\040AUTHORITY/system:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000592:r-x default:user:3000593:rwx default:group::--- default:group:BUILTIN/administrators:rwx default:group:NT\040AUTHORITY/authenticated\040users:r-x default:group:BUILTIN/server\040operators:r-x default:group:NT\040AUTHORITY/system:rwx default:mask::rwx default:other::---
Sur le DC additionnel on constate que le mapping n'est pas le même ; dans l'exemple suivant, c'est le groupe DD/sg_sg_:rwx qui est mappé à la place de group:NT\040AUTHORITY/system:rwx
getfacl sysvol # file: sysvol # owner: root # group: BUILTIN/administrators user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000592:r-x user:3000593:rwx group::rwx group:BUILTIN/administrators:rwx group:NT\040AUTHORITY/authenticated\040users:r-x group:BUILTIN/server\040operators:r-x group:DD/sg_sg_:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000592:r-x default:user:3000593:rwx default:group::--- default:group:BUILTIN/administrators:rwx default:group:NT\040AUTHORITY/authenticated\040users:r-x default:group:BUILTIN/server\040operators:r-x default:group:DD/sg_sg_:rwx default:mask::rwx default:other::---
La commande "samba-tool ntacl sysvolreset" lancée sur le DC additionnel permet de remettre les bonnes ACL en place
root@rw-dd-01:/home# samba-tool ntacl sysvolreset root@rw-dd-01:/home# getfacl sysvol # file: sysvol # owner: root # group: BUILTIN/administrators user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000028:r-x user:3000877:rwx group::rwx group:BUILTIN/administrators:rwx group:NT\040AUTHORITY/authenticated\040users:r-x group:BUILTIN/server\040operators:r-x group:NT\040AUTHORITY/system:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000028:r-x default:user:3000877:rwx default:group::--- default:group:BUILTIN/administrators:rwx default:group:NT\040AUTHORITY/authenticated\040users:r-x default:group:BUILTIN/server\040operators:r-x default:group:NT\040AUTHORITY/system:rwx default:mask::rwx default:other::---
Proposition de 2 solutions qui pourraient être mise en oeuvree :¶
1) après chaque resync, lancer la commande "samba-tool ntacl sysvolreset"
2) à une fréquence à déterminer, recopier le fichier de mapping idmap.tdb du primaire vers le secondaire (la conf par défaut sur un SETH pour samba étant TDB, ce qui est correct pour un DC) , puis flusher le cache windbind ( NET CACH FLUSH ??)
Subtasks
History
#1 Updated by Emmanuel IHRY over 4 years ago
- Description updated (diff)
#2 Updated by Emmanuel IHRY over 4 years ago
- Description updated (diff)
#3 Updated by Emmanuel IHRY over 4 years ago
- Description updated (diff)
#4 Updated by Emmanuel IHRY over 4 years ago
- Due date set to 05/17/2019
- Target version set to sprint 2019 18-20 Equipe MENSR
- Start date set to 04/29/2019
#5 Updated by Emmanuel IHRY over 4 years ago
- Subject changed from Conserver le même mapping RID - UID/GID entre tous les DC to SETH DC : Conserver le même mapping RID - UID/GID entre tous les DC
#6 Updated by Joël Cuissinat over 4 years ago
- Story points set to 2.0
#7 Updated by Gilles Grandgérard over 4 years ago
- Status changed from Nouveau to Terminé (Sprint)