[Samba] Fwd: Samba 4 two DCs no matching UID/GID
Rowland Penny
rowlandpenny at googlemail.com
Wed Jan 14 02:49:07 MST 2015
On 14/01/15 08:56, Izan Díez Sánchez wrote:
> What if I use uidNumber to avoid messing up with idmap.ldb? In the
> first domain controller works fine, ignores idmap and use uidNumber,
> but this attribute is not being replicated when a new user is created.
>
> I explain myself a little deeper:
> 1-I have an AD DC, all users contain uidNumber. "wbinfo -i user"
> returns uidNumber as expected.
Ah, but do your users actually have a 'uidNumber' attribute ? Did you
add them ? because if you didn't, the 'uidNumber' you are referring to
is actually a 'xidNumber' that is stored in idmap.ldb
> 2-I join a second DC. LDAP is replicated correctly, uidNumber
> attribute included. "wbinfo -i user" returns uidNumber as expected.
> 3-I create a new user in the first DC, and add manually the
> corresponding uidNumber.
Where are you adding the 'uidNumber' ?
> 4-User is replicated fine to second DC but lacks of uidNumber set on
> the first one, thus "wbinfo -i user" does not return de same uidNumber.
>
Light is possibly dawning here, are you by any chance altering
idmap.ldb, because doing it this way will give you the problem you are
having, idmap.ldb is *not* synced between DC's.
By the way, can you please stop referring to your servers as PDC & BDC,
they are all DC's, a PDC is a totally different type of domain controller.
Rowland
> The advantage of using rfc2307 is not such if uidNumber is not
> replicated. Do I have to replicate manually? Am I missing something?
> Any suggestion is welcomed.
>
> Regards,
>
> Izan Díez Sánchez
> Empresarios Agrupados
> Magallanes 3
> 28015 Madrid
> Tel. +34 91 309 80 00 (ext: 8813)
> ids at empre.es
>
> El 13/01/2015 a las 18:56, Rowland Penny escribió:
>> On 13/01/15 17:40, Dania Ramirez Moya wrote:
>>> ---------- Forwarded message ----------
>>> From: Dania Ramirez Moya <dania181087 at gmail.com>
>>> Date: Fri, 9 Jan 2015 12:12:18 -0500
>>> Subject: Samba 4 two DCs no matching UID/GID
>>> To: samba <samba at lists.samba.org>
>>>
>>> Hello list:
>>> I have a install of two Debian7 machines with samba 4.1.7. On DC1 I
>>> made a
>>> domain provision with --use-rfc2307. On DC2 I made a join as DC
>>> exactly as
>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , I build
>>> samba4
>>> with rfc2307 too. Also on additional joined Domain Controller I
>>> added the
>>> parameter idmap_ldb:use rfc2307 = yes according to the wiki
>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC. I used
>>> ADUC
>>> to set Unix Attributes on a user account
>>>
>>> I installed and configured sssd 1.10 to pull the RFC2307 attributes
>>> in two
>>> DCs but the UID/GID mismatched. Do I missing some configuration?
>>> Best regards
>>>
>>> Dania
>>
>> Well, not configuration, but you seem to have missed that you
>> shouldn't use the DC as a fileserver and that idmap.ldb on the second
>> DC will not match the one on the first DC. The last one is easy to
>> fix, copy idmap.ldb from the first DC to the second DC, to use the DC
>> as a fileserver will need to wait until sometime after 4.2.
>>
>> Rowland
>>
>>
>
>
More information about the samba
mailing list