Switching from an rfc2307 schema to a tdb schema
In windows environment, a group can be the owner of a file whereas in linux only a user can.
Samba will handle this by giving a unique id to groups (GUID) and to users (UID).
In fact, a group can own a folder under Linux thanks to its id. The winbind in RFC2307 mode doesn’t know how to handle this, you have to go back to tdb mode, the default configuration of Samba-AD.
This problem is not visible as long as domain admins has no historical id. If this is the case, it will not be able to interface the group id, the group and the folder it owns.
Converting a rfc2307 idmap to tdb
The first step is to clean the
idmap.ldbdatabase:for i in $(ldbsearch -H /var/lib/samba/private/idmap.ldb dn | grep ^dn | awk '{ print $2 }' | grep -v CONFIG) ; do echo "ldbdel -H /var/lib/samba/private/idmap.ldb $i" ; done
Hint
This code will show you the command lines to be executed. It will not be executed!. You can remove the
echocommand to execute them directly or copy and paste the output into abash. Once the command is run it may also be useful to empty the cache.net cache flush
The samba service is restarted when the order is completed:
# Debian systemctl restart samba-ad-dc # RedHat8 and derived distributions systemctl restart samba
We reset the
SYSVOLrights, then we reset the ACLs:setfacl -b /var/lib/samba/sysvol chown -R root:root /var/lib/samba/sysvol chmod 755 /var/lib/samba/sysvol samba-tool ntacl sysvolreset samba-tool ntacl sysvolcheck
If the commands do not return an error then everything is OK.
You can check the new mappings with Winbind or with ldbsearch commands.
ldbsearch -H /var/lib/samba/idmap.ldb
Synchroning with remote servers
If you use rsync to synchronize with numeric id, you must also synchronize both the idmap databases and the file permissions (ugo, acl posix and extended attributes permissions).
If you synchronize the file idmap.ldb by rsync, you must remember to empty the caches and restart samba:
net cache flush
systemctl restart samba