[Samba] since i added second DC i have some trouble

lingpanda101 at gmail.com lingpanda101 at gmail.com
Tue Jun 14 19:22:54 UTC 2016 

On 6/14/2016 2:50 PM, J. Echter wrote:
> Am 14.06.2016 um 20:47 schrieb lingpanda101 at gmail.com:
>> On 6/14/2016 1:16 PM, Rowland penny wrote:
>>> On 14/06/16 17:38, J. Echter wrote:
>>>> Hi,
>>>>
>>>> i provisioned a domain and all went well, until i added the second
>>>> dc....
>>>>
>>>> for example:
>>>>
>>>> the new DC2 tells me:
>>>>
>>>> getfacl /usr/local/samba/var/locks/sysvol
>>>>
>>>> # file: usr/local/samba/var/locks/sysvol
>>>> # owner: root
>>>> # group: BUILTIN\134administrators
>>>> user::rwx
>>>> user:root:rwx
>>>> user:BUILTIN\134administrators:rwx
>>>> user:BUILTIN\134users:r-x
>>>> user:ELEMAY\134guest:rwx
>>>> user:ELEMAY\134domain\040guests:r-x
>>>> group::rwx
>>>> group:BUILTIN\134administrators:rwx
>>>> group:BUILTIN\134users:r-x
>>>> group:ELEMAY\134guest:rwx
>>>> group:ELEMAY\134domain\040guests:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:BUILTIN\134administrators:rwx
>>>> default:user:BUILTIN\134users:r-x
>>>> default:user:ELEMAY\134guest:rwx
>>>> default:user:ELEMAY\134domain\040guests:r-x
>>>> default:group::---
>>>> default:group:BUILTIN\134administrators:rwx
>>>> default:group:BUILTIN\134users:r-x
>>>> default:group:ELEMAY\134guest:rwx
>>>> default:group:ELEMAY\134domain\040guests:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>> the old DC1 tells me:
>>>>
>>>> # file: usr/local/samba/var/locks/sysvol
>>>> # owner: root
>>>> # group: BUILTIN\134administrators
>>>> user::rwx
>>>> user:root:rwx
>>>> user:BUILTIN\134administrators:rwx
>>>> user:BUILTIN\134server\040operators:r-x
>>>> user:3000002:rwx
>>>> user:3000003:r-x
>>>> group::rwx
>>>> group:BUILTIN\134administrators:rwx
>>>> group:BUILTIN\134server\040operators:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:BUILTIN\134administrators:rwx
>>>> default:user:BUILTIN\134server\040operators:r-x
>>>> default:user:3000002:rwx
>>>> default:user:3000003:r-x
>>>> default:group::---
>>>> default:group:BUILTIN\134administrators:rwx
>>>> default:group:BUILTIN\134server\040operators:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> smb.conf is identical:
>>>>
>>>> DC2:
>>>>
>>>> testparm
>>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>> (16384)
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> Loaded services file OK.
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> Press enter to see a dump of your service definitions
>>>>
>>>> # Global parameters
>>>> [global]
>>>>           realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>>           workgroup = ELEMAY
>>>>           dns forwarder = 192.168.0.1
>>>>           passdb backend = samba_dsdb
>>>>           server role = active directory domain controller
>>>>           winbind enum groups = Yes
>>>>           winbind enum users = Yes
>>>>           winbind nss info = rfc2307
>>>>           rpc_server:tcpip = no
>>>>           rpc_daemon:spoolssd = embedded
>>>>           rpc_server:spoolss = embedded
>>>>           rpc_server:winreg = embedded
>>>>           rpc_server:ntsvcs = embedded
>>>>           rpc_server:eventlog = embedded
>>>>           rpc_server:srvsvc = embedded
>>>>           rpc_server:svcctl = embedded
>>>>           rpc_server:default = external
>>>>           winbindd:use external pipes = true
>>>>           idmap config elemay:range = 10000-99999
>>>>           idmap config elemay:schema_mode = rfc2307
>>>>           idmap config elemay:backend = ad
>>>>           idmap config *:range = 2000-9999
>>>>           idmap_ldb:use rfc2307 = yes
>>>>           idmap config * : backend = tdb
>>>>           map archive = No
>>>>           map readonly = no
>>>>           store dos attributes = Yes
>>>>           vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>>           path =
>>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>>>
>>>>           read only = No
>>>>
>>>>
>>>> [sysvol]
>>>>           path = /usr/local/samba/var/locks/sysvol
>>>>           read only = No
>>>>
>>>>
>>>> DC1:
>>>>
>>>> testparm
>>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>> (16384)
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> Processing section "[Profiles]"
>>>> Loaded services file OK.
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> Press enter to see a dump of your service definitions
>>>>
>>>> # Global parameters
>>>> [global]
>>>>           realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>>           workgroup = ELEMAY
>>>>           dns forwarder = 192.168.0.1
>>>>           passdb backend = samba_dsdb
>>>>           server role = active directory domain controller
>>>>           winbind enum groups = Yes
>>>>           winbind enum users = Yes
>>>>           winbind nss info = rfc2307
>>>>           rpc_server:tcpip = no
>>>>           rpc_daemon:spoolssd = embedded
>>>>           rpc_server:spoolss = embedded
>>>>           rpc_server:winreg = embedded
>>>>           rpc_server:ntsvcs = embedded
>>>>           rpc_server:eventlog = embedded
>>>>           rpc_server:srvsvc = embedded
>>>>           rpc_server:svcctl = embedded
>>>>           rpc_server:default = external
>>>>           winbindd:use external pipes = true
>>>>           idmap config elemay:range = 10000-99999
>>>>           idmap config elemay:schema_mode = rfc2307
>>>>           idmap config elemay:backend = ad
>>>>           idmap config *:range = 2000-9999
>>>>           idmap_ldb:use rfc2307 = yes
>>>>           idmap config * : backend = tdb
>>>>           map archive = No
>>>>           map readonly = no
>>>>           store dos attributes = Yes
>>>>           vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>>           path =
>>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>>>
>>>>           read only = No
>>>>
>>>>
>>>> [sysvol]
>>>>           path = /usr/local/samba/var/locks/sysvol
>>>>           read only = No
>>>>
>>>>
>>>> [Profiles]
>>>>           path = /srv/samba/Profiles/
>>>>           csc policy = disable
>>>>           profile acls = Yes
>>>>           create mask = 0600
>>>>           directory mask = 0700
>>>>           read only = No
>>>>
>>>> getent passwd:
>>>>
>>>> works on both and shows me domain users, for example:
>>>>
>>>> dc2:
>>>>
>>>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>>>
>>>>
>>>> dc1:
>>>>
>>>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>>>
>>>> but, as you see, it has different numbers.
>>>>
>>>>
>>>>
>>>> what went wrong here?
>>>>
>>>>
>>>> thanks
>>>>
>>>> juergen
>>>>
>>> Nothing, you just seem to be running into the same problem that a
>>> couple of others have, idmap.ldb can and usually is different between
>>> DCs.
>>>
>>> that makes three users this week and it is only Tuesday :-D
>>>
>>> You can copy idmap.ldb from the first DC to any others, you would then
>>> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
>>> keep the idmap.ldb files in sync.
>>>
>>> Rowland
>>>
>>>
>> Rowland,
>>
>>      That shouldn't be necessary if he is using 4.2 or later correct?
>> Isn't the use of winbindd supposed to solve this issue?
>>
>>
> i'm using 4.4.4 on both dc's ;)
>

Echter,

     Have you tried syncing the idmap.ldb file yet? I wonder if your 
issue is related to using

idmap config elemay:backend = ad

Doesn't this use winbind and not winbindd? In this case you would need 
to sync idmap.ldb?

-- 
-James

More information about the samba mailing list