Samba4: idmap replication between 2 DC's
geza at kzsdabas.hu
Thu Jul 12 00:02:23 MDT 2012
2012-07-12 07:46 keltezéssel, steve írta:
> On 11/07/12 23:45, Gémes Géza wrote:
>> 2012-07-11 21:44 keltezéssel, steve írta:
>>> On 11/07/12 21:23, Gémes Géza wrote:
>>>> 2012-07-11 10:58 keltezéssel, steve írta:
>>>>> Is it possible to get idmap.ldb replicated across 2 DC's as well as
>>>>> the directory partitions?
>>>>> I make changes to id mappings for our Linux users. This is not a
>>>>> problem with NFS, but becomes an issue when Linux users are
>>>>> working on
>>>>> cifs mounted shares. The uidNumber issued by DC2 is not the same as
>>>>> the uidNumber issued by DC1.
>>>> Hi Steve,
>>>> If you put
>>>> idmap_ldb:use rfc2307 = yes
>>>> in your smb.conf then setting the uids gids in AD will guarantee that
>>>> they are the same across your samba4/s3fs servers, because then they
>>>> will get that from AD instead of their private idmap (with a fail-back
>>>> to idmap, if the entry has no uid/gid set).
>>> Hi Geza
>>> I don't think
>>> idmap_ldb:use rfc2307 = yes
>>> works in Samba4 with s3fs
>>> It doesn't appear as an option in
>>> testparm -v either
>>> It doesn't have any effect here even though we store all our rfc2307
>>> information in the directory.
>>> Quote from the other thread:
>>> 's3fs and the Samba4 DC use a different winbindd implementation to the
>>> one that Christof is patching. For that reason, these patches simply
>>> won't have any benefit for you on the Samba4 DC.
>>> Andrew Bartlett'
>>> Geza, does it work for you?
>> Yes, but my test domain was upgraded from samba3 in which case the
>> provision automatically puts idmap_ldb:use rfc2307 = yes in smb.conf
>> I don't know s3fs where does sid<->xid operations, but with wbinfo I've
>> checked and the information is retrieved from AD.
> Hi Geza.
> That's frustrating. We are not using winbindd (but are using winbind
> if you see what I mean). Is there anything else you have in smb.conf
> that would affect this? Our nsswitch settings are:
> passwd: files ldap
> group: files ldap
> and our smb.conf is:
> server role = domain controller
> workgroup = MARINA
> realm = hh3.site
> netbios name = HH1
> passdb backend = samba4
> idmap_ldb:use rfc2307 = yes
> On the PDC idmap mappings are the same as those in the AD (we have a
> script that does this when we add e.g. a new group). Even though it
> works and users and groups are correctly mapped from on eithr DC, we
> would like the mappings to come from AD rather than idmap. mainly for
> the sake of maintenance and readability.
> Is there any way we can do this?
Now I'm completely confused: In theory idmap_ldb:use rfc2307 = yes would
free you from having to mess with the idmap.ldb. Just have the correct
uids/gids in the directory, and they should be picked by samba (maybe
you are using an older version? support for this is quite recent).
More information about the samba-technical