[Samba] since i added second DC i have some trouble
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Tue Jun 14 19:22:54 UTC 2016
On 6/14/2016 2:50 PM, J. Echter wrote:
> Am 14.06.2016 um 20:47 schrieb lingpanda101 at gmail.com:
>> On 6/14/2016 1:16 PM, Rowland penny wrote:
>>> On 14/06/16 17:38, J. Echter wrote:
>>>> Hi,
>>>>
>>>> i provisioned a domain and all went well, until i added the second
>>>> dc....
>>>>
>>>> for example:
>>>>
>>>> the new DC2 tells me:
>>>>
>>>> getfacl /usr/local/samba/var/locks/sysvol
>>>>
>>>> # file: usr/local/samba/var/locks/sysvol
>>>> # owner: root
>>>> # group: BUILTIN\134administrators
>>>> user::rwx
>>>> user:root:rwx
>>>> user:BUILTIN\134administrators:rwx
>>>> user:BUILTIN\134users:r-x
>>>> user:ELEMAY\134guest:rwx
>>>> user:ELEMAY\134domain\040guests:r-x
>>>> group::rwx
>>>> group:BUILTIN\134administrators:rwx
>>>> group:BUILTIN\134users:r-x
>>>> group:ELEMAY\134guest:rwx
>>>> group:ELEMAY\134domain\040guests:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:BUILTIN\134administrators:rwx
>>>> default:user:BUILTIN\134users:r-x
>>>> default:user:ELEMAY\134guest:rwx
>>>> default:user:ELEMAY\134domain\040guests:r-x
>>>> default:group::---
>>>> default:group:BUILTIN\134administrators:rwx
>>>> default:group:BUILTIN\134users:r-x
>>>> default:group:ELEMAY\134guest:rwx
>>>> default:group:ELEMAY\134domain\040guests:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>>
>>>> the old DC1 tells me:
>>>>
>>>> # file: usr/local/samba/var/locks/sysvol
>>>> # owner: root
>>>> # group: BUILTIN\134administrators
>>>> user::rwx
>>>> user:root:rwx
>>>> user:BUILTIN\134administrators:rwx
>>>> user:BUILTIN\134server\040operators:r-x
>>>> user:3000002:rwx
>>>> user:3000003:r-x
>>>> group::rwx
>>>> group:BUILTIN\134administrators:rwx
>>>> group:BUILTIN\134server\040operators:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:user:BUILTIN\134administrators:rwx
>>>> default:user:BUILTIN\134server\040operators:r-x
>>>> default:user:3000002:rwx
>>>> default:user:3000003:r-x
>>>> default:group::---
>>>> default:group:BUILTIN\134administrators:rwx
>>>> default:group:BUILTIN\134server\040operators:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> smb.conf is identical:
>>>>
>>>> DC2:
>>>>
>>>> testparm
>>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>> (16384)
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> Loaded services file OK.
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> Press enter to see a dump of your service definitions
>>>>
>>>> # Global parameters
>>>> [global]
>>>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>> workgroup = ELEMAY
>>>> dns forwarder = 192.168.0.1
>>>> passdb backend = samba_dsdb
>>>> server role = active directory domain controller
>>>> winbind enum groups = Yes
>>>> winbind enum users = Yes
>>>> winbind nss info = rfc2307
>>>> rpc_server:tcpip = no
>>>> rpc_daemon:spoolssd = embedded
>>>> rpc_server:spoolss = embedded
>>>> rpc_server:winreg = embedded
>>>> rpc_server:ntsvcs = embedded
>>>> rpc_server:eventlog = embedded
>>>> rpc_server:srvsvc = embedded
>>>> rpc_server:svcctl = embedded
>>>> rpc_server:default = external
>>>> winbindd:use external pipes = true
>>>> idmap config elemay:range = 10000-99999
>>>> idmap config elemay:schema_mode = rfc2307
>>>> idmap config elemay:backend = ad
>>>> idmap config *:range = 2000-9999
>>>> idmap_ldb:use rfc2307 = yes
>>>> idmap config * : backend = tdb
>>>> map archive = No
>>>> map readonly = no
>>>> store dos attributes = Yes
>>>> vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>> path =
>>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>>>
>>>> read only = No
>>>>
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>>
>>>> DC1:
>>>>
>>>> testparm
>>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>> (16384)
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> Processing section "[Profiles]"
>>>> Loaded services file OK.
>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>
>>>> Press enter to see a dump of your service definitions
>>>>
>>>> # Global parameters
>>>> [global]
>>>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>> workgroup = ELEMAY
>>>> dns forwarder = 192.168.0.1
>>>> passdb backend = samba_dsdb
>>>> server role = active directory domain controller
>>>> winbind enum groups = Yes
>>>> winbind enum users = Yes
>>>> winbind nss info = rfc2307
>>>> rpc_server:tcpip = no
>>>> rpc_daemon:spoolssd = embedded
>>>> rpc_server:spoolss = embedded
>>>> rpc_server:winreg = embedded
>>>> rpc_server:ntsvcs = embedded
>>>> rpc_server:eventlog = embedded
>>>> rpc_server:srvsvc = embedded
>>>> rpc_server:svcctl = embedded
>>>> rpc_server:default = external
>>>> winbindd:use external pipes = true
>>>> idmap config elemay:range = 10000-99999
>>>> idmap config elemay:schema_mode = rfc2307
>>>> idmap config elemay:backend = ad
>>>> idmap config *:range = 2000-9999
>>>> idmap_ldb:use rfc2307 = yes
>>>> idmap config * : backend = tdb
>>>> map archive = No
>>>> map readonly = no
>>>> store dos attributes = Yes
>>>> vfs objects = dfs_samba4 acl_xattr
>>>>
>>>>
>>>> [netlogon]
>>>> path =
>>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>>>
>>>> read only = No
>>>>
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>>
>>>> [Profiles]
>>>> path = /srv/samba/Profiles/
>>>> csc policy = disable
>>>> profile acls = Yes
>>>> create mask = 0600
>>>> directory mask = 0700
>>>> read only = No
>>>>
>>>> getent passwd:
>>>>
>>>> works on both and shows me domain users, for example:
>>>>
>>>> dc2:
>>>>
>>>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>>>
>>>>
>>>> dc1:
>>>>
>>>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>>>
>>>> but, as you see, it has different numbers.
>>>>
>>>>
>>>>
>>>> what went wrong here?
>>>>
>>>>
>>>> thanks
>>>>
>>>> juergen
>>>>
>>> Nothing, you just seem to be running into the same problem that a
>>> couple of others have, idmap.ldb can and usually is different between
>>> DCs.
>>>
>>> that makes three users this week and it is only Tuesday :-D
>>>
>>> You can copy idmap.ldb from the first DC to any others, you would then
>>> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
>>> keep the idmap.ldb files in sync.
>>>
>>> Rowland
>>>
>>>
>> Rowland,
>>
>> That shouldn't be necessary if he is using 4.2 or later correct?
>> Isn't the use of winbindd supposed to solve this issue?
>>
>>
> i'm using 4.4.4 on both dc's ;)
>
Echter,
Have you tried syncing the idmap.ldb file yet? I wonder if your
issue is related to using
idmap config elemay:backend = ad
Doesn't this use winbind and not winbindd? In this case you would need
to sync idmap.ldb?
--
-James
More information about the samba
mailing list