Project

General

Profile

Scénario #27913

SETH DC : Conserver le même mapping RID - UID/GID entre tous les DC

Added by Emmanuel IHRY about 2 years ago. Updated almost 2 years ago.

Status:
Terminé (Sprint)
Priority:
Normal
Assigned To:
-
Category:
-
Start date:
04/29/2019
Due date:
05/17/2019
% Done:

100%

Story points:
2.0
Remaining (hours):
0.00 hour
Velocity based estimate:

Description

Pb constaté

La réplication des SYSVOL se fait par le biais de la commande RSYNC avec préservation des ACL

rsync --rsh='ssh' \
--compress --verbose \
--acls --xattrs \
--archive --ignore-times \
--delete-after --force \
--stats root@${AD_DC_SYSVOL_REF}:/home/sysvol/ /home/sysvol/

Pour certains domaines AD en production, pour une raison pas encore expliquée, le mapping fini par diverger, ce qui provoque des anomalies.

La commande samba-tool ntacl sysvolcheck est en erreur :

samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO file /home/sysvol/ddt053.ad.mayenne.rie.gouv.fr/Policies/{D0E64B98-92E4-4E7B-A2B1-0639B7287A04}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1631, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))

Sur le DC primaire les ACL sysvol sont correctes :

getfacl sysvol
# file: sysvol
# owner: root
# group: BUILTIN/administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000592:r-x
user:3000593:rwx
group::rwx
group:BUILTIN/administrators:rwx
group:NT\040AUTHORITY/authenticated\040users:r-x
group:BUILTIN/server\040operators:r-x
group:NT\040AUTHORITY/system:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000592:r-x
default:user:3000593:rwx
default:group::---
default:group:BUILTIN/administrators:rwx
default:group:NT\040AUTHORITY/authenticated\040users:r-x
default:group:BUILTIN/server\040operators:r-x
default:group:NT\040AUTHORITY/system:rwx
default:mask::rwx
default:other::---

Sur le DC additionnel on constate que le mapping n'est pas le même ; dans l'exemple suivant, c'est le groupe DD/sg_sg_:rwx qui est mappé à la place de group:NT\040AUTHORITY/system:rwx


getfacl sysvol
# file: sysvol
# owner: root
# group: BUILTIN/administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000592:r-x
user:3000593:rwx
group::rwx
group:BUILTIN/administrators:rwx
group:NT\040AUTHORITY/authenticated\040users:r-x
group:BUILTIN/server\040operators:r-x
group:DD/sg_sg_:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000592:r-x
default:user:3000593:rwx
default:group::---
default:group:BUILTIN/administrators:rwx
default:group:NT\040AUTHORITY/authenticated\040users:r-x
default:group:BUILTIN/server\040operators:r-x
default:group:DD/sg_sg_:rwx
default:mask::rwx
default:other::---

La commande "samba-tool ntacl sysvolreset" lancée sur le DC additionnel permet de remettre les bonnes ACL en place


root@rw-dd-01:/home# samba-tool ntacl sysvolreset
root@rw-dd-01:/home# getfacl sysvol
# file: sysvol
# owner: root
# group: BUILTIN/administrators
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000028:r-x
user:3000877:rwx
group::rwx
group:BUILTIN/administrators:rwx
group:NT\040AUTHORITY/authenticated\040users:r-x
group:BUILTIN/server\040operators:r-x
group:NT\040AUTHORITY/system:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000028:r-x
default:user:3000877:rwx
default:group::---
default:group:BUILTIN/administrators:rwx
default:group:NT\040AUTHORITY/authenticated\040users:r-x
default:group:BUILTIN/server\040operators:r-x
default:group:NT\040AUTHORITY/system:rwx
default:mask::rwx
default:other::---

Proposition de 2 solutions qui pourraient être mise en oeuvree :

1) après chaque resync, lancer la commande "samba-tool ntacl sysvolreset"

2) à une fréquence à déterminer, recopier le fichier de mapping idmap.tdb du primaire vers le secondaire (la conf par défaut sur un SETH pour samba étant TDB, ce qui est correct pour un DC) , puis flusher le cache windbind ( NET CACH FLUSH ??)


Subtasks

Tâche #28169: Protéger l'AD Seth contre rpclientFermé

Tâche #28170: Ajout conf.d dans globalFermé

Tâche #28171: Garder la log du job de synchronisationFermé

Tâche #28172: Tracer les opérations de synchronisation SysvolFermé

History

#1 Updated by Emmanuel IHRY about 2 years ago

  • Description updated (diff)

#2 Updated by Emmanuel IHRY about 2 years ago

  • Description updated (diff)

#3 Updated by Emmanuel IHRY about 2 years ago

  • Description updated (diff)

#4 Updated by Emmanuel IHRY about 2 years ago

  • Due date set to 05/17/2019
  • Target version set to sprint 2019 18-20 Equipe MENSR
  • Start date set to 04/29/2019

#5 Updated by Emmanuel IHRY about 2 years ago

  • Subject changed from Conserver le même mapping RID - UID/GID entre tous les DC to SETH DC : Conserver le même mapping RID - UID/GID entre tous les DC

#6 Updated by Joël Cuissinat almost 2 years ago

  • Story points set to 2.0

#7 Updated by Gilles Grandgérard almost 2 years ago

  • Status changed from Nouveau to Terminé (Sprint)

Also available in: Atom PDF