[Samba] Validate Ids Multiple DC

L.P.H. van Belle belle at bazuin.nl
Fri Jan 29 15:10:50 UTC 2016 

Hello Carlos. 

Fist please post to the list, this way everybody can help. 

The ids like : 3000036  are i think from a samba DC with RID setup. 
If you want to login also on the DC with for example SSH. 

Add also the template lines. 

Fix the idmap. 

net getdomainsid
net idmap delete ranges YOURDOMAIN_SID

restart the DC. 

And check again. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> Verzonden: vrijdag 29 januari 2016 15:14
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> 
> Hello!
> Obrgado the answers.
> 
> My smb.conf now this well in both DC, but is still giving different IDs:
> 
> 
> smb.conf
> 
> # Global parameters
> [global]
>          workgroup = SERVERAD
>          realm = mydomain
>          netbios name = DC-LINUX1(e DC-LINUX2)
>          server role = active directory domain controller
>          passdb backend = samba_dsdb
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> 
>          map archive = No
>          map readonly = no
>          store dos attributes = Yes
>          vfs objects = dfs_samba4 acl_xattr
>          idmap_ldb:use rfc2307 = yes
>          kerberos method = system keytab
>          client ldap sasl wrapping = sign
>          allow dns updates = nonsecure and secure
>          nsupdate command =  /usr/bin/nsupdate -g
> 
>          ## map id's outside to domain to tdb files.
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-9999
>          ### map ids from the domain and (*) the range may not overlap !
>          idmap config SERVERAD : backend = ad
>          idmap config SERVERAD : schema_mode = rfc2307
>          idmap config SERVERAD : range = 10000-3999999
> 
>          ## Use home directory and shell information from AD
>          winbind nss info = rfc2307
> 
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind expand groups = 4
> 
>          # Disable Cups
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
> DC-LINUX1
> 
> id userproxy01
> uid=3000370(SERVERAD\userproxy01) gid=100(users)
> grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users)
> 
> getent passwd userproxy01
> SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01:
> /bin/false
> 
> DC-LINUX2
> 
> id userproxy01
> uid=3000036(SERVERAD\userproxy01) gid=100(users)
> grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users)
> 
> getent passwd userproxy01
> SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01:
> /bin/false
> 
> 
> Thanks.
> 
> Em 29-01-2016 10:07, L.P.H. van Belle escreveu:
> > Hai Rowland.
> >
> > What you tried is ok, or im misunderstanding you.
> >
> > For me :
> > All members give me.
> > getent passwd myuser
> > myuser:*:10002:10000::/home/users/myuser:/bin/bash
> >
> > id myuser
> > uid=10002(myuser) gid=10000(domain users)
> >
> > the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17
> >
> > and on the DCs.  ( only sernet samba 4.2.7 )
> >
> > getent passwd myuser
> > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
> >
> > id myuser
> > uid=10002(myuser) gid=10000(domain users)
> >
> > forgot to mention 1 restriction.
> >
> > In the DC's i also have
> >          template shell = /bin/bash
> >          template homedir = /home/users/%U
> >
> > The restriction is that you must use above shell and homedirs for all
> you users and must be the same in the AD unix tab.
> >
> > The GECOS is different, but who uses that..
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> >> Verzonden: vrijdag 29 januari 2016 12:42
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>
> >> On 29/01/16 08:59, L.P.H. van Belle wrote:
> >>> If you add the "not" supported winbind options from the member also to
> >> the DCs, then you will have the same resulting uid on all servers.
> >>> Official not supported, but works now for more then a year here.
> >>> ( sernet samba 4.2.7 on debian wheezy )
> >>>
> >>> This is my addition to the smb.conf on the DC.
> >>>           ## map id's outside to domain to tdb files.
> >>>           idmap config * : backend = tdb
> >>>           idmap config * : range = 2000-9999
> >>>           ## map ids from the domain and (*) the range may not overlap
> !
> >>>           idmap config NTDOMAIN : backend = ad
> >>>           idmap config NTDOMAIN : schema_mode = rfc2307
> >>>           idmap config NTDOMAIN : range = 10000-3999999
> >>>
> >>>           # Use home directory and shell information from AD
> >>>           winbind nss info = rfc2307
> >>>
> >>>           winbind trusted domains only = no
> >>>           winbind use default domain = yes
> >>>           winbind expand groups = 4
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller
> >>>> Verzonden: vrijdag 29 januari 2016 9:21
> >>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>>>
> >>>> You can try to do it with the unix tab in rsat on the master dc (as I
> >> did)
> >>>> .  Both DCs have the same ids.
> >>>> On your memberservers this will be mapped by winbind(d)
> >>>> EX:
> >>>>
> >>>> [root at s4master ~]# id tester
> >>>> uid=90000(TPLK\tester) gid=100(users)
> >>>> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>>>
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >>>> TPLK\HS3)
> >>>>
> >>>> [root at s4slave ~]# id tester
> >>>> uid=90000(TPLK\tester) gid=100(users)
> >>>> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>>>
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >>>> TPLK\HS3)
> >>>>
> >>>> winbind(d)  mapping the same ids on 2 memberservers:
> >>>> [root at centclust1 ~]# id tester
> >>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>>>
> >>
> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
> >>>> 1643(terminalserver
> >>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
> >>>>
> >>>>
> >>>> [root at centclust2 ~]# id tester
> >>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>>>
> >>
> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
> >>>> (schreiben),1643(terminalserver
> >>>> user),1620(direktionv),100001(BUILTIN\users)
> >>>>
> >>>>
> >>>> EDV Daniel Müller
> >>>>
> >>>> Leitung EDV
> >>>> Tropenklinik Paul-Lechler-Krankenhaus
> >>>> Paul-Lechler-Str. 24
> >>>> 72076 Tübingen
> >>>> Tel.: 07071/206-463, Fax: 07071/206-499
> >>>> eMail: mueller at tropenklinik.de
> >>>> Internet: www.tropenklinik.de
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> -----Ursprüngliche Nachricht-----
> >>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> >>>> Gesendet: Freitag, 29. Januar 2016 00:43
> >>>> An: samba at lists.samba.org
> >>>> Betreff: [Samba] Validate Ids Multiple DC
> >>>>
> >>>> Hello!
> >>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
> >>>> Fileserver, until now all ok, but I'm one doubts, how to validate
> that
> >> in
> >>>> both servers the domain IDs of the users of this identical, a simple
> >> way
> >>>> to do this validation?
> >>>> I wanted to make sure it is a DC die fileserver has to go 100%.
> >>>> thank you
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >> Hi Louis, you keep saying adding the domain member lines to a DC works
> >> for you, so I thought it was time I tried them again.
> >>
> >> This is before adding the lines:
> >>
> >> root at testdc1:~# getent passwd rowland
> >> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
> >>
> >> Now add the lines to smb.conf:
> >>
> >>           ## map id's outside to domain to tdb files.
> >>           idmap config * : backend = tdb
> >>           idmap config * : range = 2000-9999
> >>           ## map ids from the domain and (*) the range may not overlap
> !
> >>           idmap config HOME : backend = ad
> >>           idmap config HOME : schema_mode = rfc2307
> >>           idmap config HOME : range = 10000-3999999
> >>
> >>           # Use home directory and shell information from AD
> >>           winbind nss info = rfc2307
> >>
> >>           winbind trusted domains only = no
> >>           winbind use default domain = yes
> >>           winbind expand groups = 4
> >>
> >> Ran 'net cache flush' and then 'service samba-ad-dc restart'
> >>
> >> Checked again:
> >>
> >> root at testdc1:~# getent passwd rowland
> >> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
> >>
> >> Absolutely no difference, this is with Samba 4.3.3
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >

More information about the samba mailing list