Samba4: idmap replication between 2 DC's

steve steve at steve-ss.com
Fri Jul 13 01:03:47 MDT 2012 

On 13/07/12 00:58, Andrew Bartlett wrote:
> On Thu, 2012-07-12 at 18:47 +0200, steve wrote:
>> On 12/07/12 15:11, Andrew Bartlett wrote:
>>> On Thu, 2012-07-12 at 14:43 +0200, steve wrote:
>>>> On 12/07/12 11:25, Andrew Bartlett wrote:
>>>>> On Wed, 2012-07-11 at 21:23 +0200, Gémes Géza wrote:
>>>>>> 2012-07-11 10:58 keltezéssel, steve írta:
>>
>>> Steve,
>>>
>>> Then I think your task is clear.  Please add whatever debugging you feel
>>> is required to the relevant idmap code and work out why the mappings are
>>> not returned.
>>>
>>> Thanks,
>>>
>>
>> Hi Andrew, hi everyone
>>
>> I am getting closer. To begin with,
>> samba-tool user add <user>
>> always creates an entry in idmap.ldb
>>
>> If we want
>> idmap_ldb:use rfc2307 = yes
>> to work, we must delete the entry in idmap.ldb immediately after the
>> user is created.
>
> Can you investigate how this happens?  I can't see what would do that in
> the code.
>
>> That solves the problem for uidNumber on both DC1 and DC2. We can easily
>> change our useredd scripts to do that after we have added the necessary
>> rfc2307 attributes and classes.
>>
>> For groups however removing the idmap.ldb entry does not work. Upon a
>> wbinfo --group-info=<group> a new entry is created in idmap.ldb.
>>
>> Is this correct? Once again, this causes problems as the idmap entries
>> on the replicating DC's are not the same.
>>
>> Can we get the gidNumber to be read from the directory too?
>
> The gidNumber for groups should be read from the directory.  Please
> investigate if this isn't happening.
>
> Andrew Bartlett
>
Hi Andrew, hi everyone

OK. I have established that with
  idmap_ldb:use rfc2307 = yes
in smb.conf, then
samba-tool user add <user>
_no_ entry is made in idmap.ldb but uidNumber from the directory is 
indeed honoured. Correct.

Conclusion 1:
  idmap_ldb:use rfc2307 = yes
works for uidNumber

If I create a new group:
samba tool group add <group> and add
  objectClass: posixGroup
  and
gidNumber: <a number>
to the dn,
  an entry is _always_ created in idmap.ldb. If I delete that group 
entry in idmap.ldb and run
  wbinfo --group-info=<group>
a new entry is created in idmap.ldb with a different xidNumber. Disastrous!

Conclusion 2:
  idmap_ldb:use rfc2307 = yes
does not work when gidNumber is in AD

Summary,
idmap_ldb:use rfc2307 = yes
uidNumber in AD works
gidNumber in AD does not work

Can you help me sort the gidNumber?

Cheers,
Steve

More information about the samba-technical mailing list