rfc2307 problems with more than one DC

Daniele Dario d.dario76 at gmail.com
Thu Oct 18 09:45:05 MDT 2012 

On Thu, 2012-10-18 at 17:11 +0200, Daniele Dario wrote:
> Hi list
> I have 2 samba4 AD DCs: I provisioned the domain on kdc02 and than
> joined kdc01.
> 
> [root at kdc02:~]# id KDC01$
> uid=3000059(SAITEL\KDC01$) gid=3000017(Domain Controllers)
> groups=3000017(Domain Controllers)
> [root at kdc02:~]# wbinfo -i KDC01$
> SAITEL\KDC01$:*:3000059:3000017:KDC01$:/home/SAITEL/KDC01$:/bin/bash
> [root at kdc02:~]# sid=`wbinfo --gid-to-sid=3000017` && wbinfo
> --sid-to-name=$sid
> SAITEL\Domain Controllers 2
> 
> while
> 
> [root at kdc01:~]# id KDC01$
> uid=3000027(SAITEL\KDC01$) gid=3000020(Ufficio Tecnico)
> groups=3000020(Ufficio Tecnico)
> [root at kdc01:~]# wbinfo -i KDC01$
> SAITEL\KDC01$:*:3000027:3000020:KDC01$:/home/SAITEL/KDC01$:/bin/bash
> [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000020` && wbinfo
> --sid-to-name=$sid
> SAITEL\Ufficio Tecnico 2
> 
> Having a look with ldbsearch -H /usr/local/samba/private/sam.ldb -b
> "DC=saitel,DC=loc" on both DCs the given records seems to be the same
> and on both of them I can see
> 
> memberOf: CN=Server Operators,CN=Builtin,DC=saitel,DC=loc
> 
> Given this I used samba-tool group listmembers Server\ Operators and
> I've seen that KDC01$ is (as expected) a member of Server Operators
> group.
> 
> Other thing to note is that getfacl on sysvol returns the group ids and
> it's not able to translate them to names even if I've created the
> symlinks for libnsswinbind.so.
> 
> [root at kdc01:~/samba4/samba-4.0.0rc3]#
> getfacl /usr/local/samba/var/locks/sysvolgetfacl: Removing leading '/'
> from absolute path names
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: adm
> user::rwx
> user:root:rwx
> group::rwx
> group:adm:rwx
> group:3000006:r-x
> group:3000007:rwx
> group:3000008:r-x
> mask::rwx
> other::---
> 
> Trying to get group names with wbinfo (on both DCs)
> 
> [root at kdc01:~/samba4/samba-4.0.0rc3]# wbinfo --gid-info=3000006
> failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> Could not get info for gid 3000006
> 
> while 
> 
> [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000006` && wbinfo
> --sid-to-name=$sid
> BUILTIN\Server Operators 4
> [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000007` && wbinfo
> --sid-to-name=$sid
> NT AUTHORITY\SYSTEM 5
> [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000008` && wbinfo
> --sid-to-name=$sid
> NT AUTHORITY\Authenticated Users 5
> 
> Are these normal behaviours?
> 
> Thanks,
> Daniele.
> 

Ach. I "posixified" the users/groups of my domain and I did this on
kdc02. This action had overtaken the gids of some AD basic groups like
Domain Controllers on the other DC joined to the domain:

[root at kdc01:~]# wbinfo --group-info=Domain\ Controllers
Domain Controllers:*:3000020:
[root at kdc01:~]# wbinfo --group-info=Ufficio\ Tecnico
Ufficio Tecnico:*:3000020:

So even having rfc2307 enabled on both DCs, the action to add
objectClass:posixGroup
gidNumber:`wbinfo --group-info=SomeGroup` caused this problem.

The idea of having the same uid/gid for domain users and groups was to
try to set up a member server and to use it as a backup for the main
fileserver only doing an rsync.
Once I'd have trouble on the main fileserver I thought it was simpler to
reproduce it having an exact copy of the shares with ACLs (migrate from
my samba3.4 requires to set ACLs on all the files and won't work
correctly)

Any idea about solving this or am I totally wrong?

To fix the problem un-posixify users and groups is the only way?

Thanks,
Daniele.

More information about the samba-technical mailing list