rfc2307 problems with more than one DC

Daniele Dario d.dario76 at gmail.com
Fri Oct 19 01:15:58 MDT 2012 

On Thu, 2012-10-18 at 17:45 +0200, Daniele Dario wrote:
> On Thu, 2012-10-18 at 17:11 +0200, Daniele Dario wrote:
> > Hi list
> > I have 2 samba4 AD DCs: I provisioned the domain on kdc02 and than
> > joined kdc01.
> > 
> > [root at kdc02:~]# id KDC01$
> > uid=3000059(SAITEL\KDC01$) gid=3000017(Domain Controllers)
> > groups=3000017(Domain Controllers)
> > [root at kdc02:~]# wbinfo -i KDC01$
> > SAITEL\KDC01$:*:3000059:3000017:KDC01$:/home/SAITEL/KDC01$:/bin/bash
> > [root at kdc02:~]# sid=`wbinfo --gid-to-sid=3000017` && wbinfo
> > --sid-to-name=$sid
> > SAITEL\Domain Controllers 2
> > 
> > while
> > 
> > [root at kdc01:~]# id KDC01$
> > uid=3000027(SAITEL\KDC01$) gid=3000020(Ufficio Tecnico)
> > groups=3000020(Ufficio Tecnico)
> > [root at kdc01:~]# wbinfo -i KDC01$
> > SAITEL\KDC01$:*:3000027:3000020:KDC01$:/home/SAITEL/KDC01$:/bin/bash
> > [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000020` && wbinfo
> > --sid-to-name=$sid
> > SAITEL\Ufficio Tecnico 2
> > 
> > Having a look with ldbsearch -H /usr/local/samba/private/sam.ldb -b
> > "DC=saitel,DC=loc" on both DCs the given records seems to be the same
> > and on both of them I can see
> > 
> > memberOf: CN=Server Operators,CN=Builtin,DC=saitel,DC=loc
> > 
> > Given this I used samba-tool group listmembers Server\ Operators and
> > I've seen that KDC01$ is (as expected) a member of Server Operators
> > group.
> > 
> > Other thing to note is that getfacl on sysvol returns the group ids and
> > it's not able to translate them to names even if I've created the
> > symlinks for libnsswinbind.so.
> > 
> > [root at kdc01:~/samba4/samba-4.0.0rc3]#
> > getfacl /usr/local/samba/var/locks/sysvolgetfacl: Removing leading '/'
> > from absolute path names
> > # file: usr/local/samba/var/locks/sysvol
> > # owner: root
> > # group: adm
> > user::rwx
> > user:root:rwx
> > group::rwx
> > group:adm:rwx
> > group:3000006:r-x
> > group:3000007:rwx
> > group:3000008:r-x
> > mask::rwx
> > other::---
> > 
> > Trying to get group names with wbinfo (on both DCs)
> > 
> > [root at kdc01:~/samba4/samba-4.0.0rc3]# wbinfo --gid-info=3000006
> > failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not get info for gid 3000006
> > 
> > while 
> > 
> > [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000006` && wbinfo
> > --sid-to-name=$sid
> > BUILTIN\Server Operators 4
> > [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000007` && wbinfo
> > --sid-to-name=$sid
> > NT AUTHORITY\SYSTEM 5
> > [root at kdc01:~]# sid=`wbinfo --gid-to-sid=3000008` && wbinfo
> > --sid-to-name=$sid
> > NT AUTHORITY\Authenticated Users 5
> > 
> > Are these normal behaviours?
> > 
> > Thanks,
> > Daniele.
> > 
> 
> Ach. I "posixified" the users/groups of my domain and I did this on
> kdc02. This action had overtaken the gids of some AD basic groups like
> Domain Controllers on the other DC joined to the domain:
> 
> [root at kdc01:~]# wbinfo --group-info=Domain\ Controllers
> Domain Controllers:*:3000020:
> [root at kdc01:~]# wbinfo --group-info=Ufficio\ Tecnico
> Ufficio Tecnico:*:3000020:
> 
> So even having rfc2307 enabled on both DCs, the action to add
> objectClass:posixGroup
> gidNumber:`wbinfo --group-info=SomeGroup` caused this problem.
> 
> The idea of having the same uid/gid for domain users and groups was to
> try to set up a member server and to use it as a backup for the main
> fileserver only doing an rsync.
> Once I'd have trouble on the main fileserver I thought it was simpler to
> reproduce it having an exact copy of the shares with ACLs (migrate from
> my samba3.4 requires to set ACLs on all the files and won't work
> correctly)
> 
> Any idea about solving this or am I totally wrong?
> 
> To fix the problem un-posixify users and groups is the only way?
> 
> Thanks,
> Daniele.
> 

Why default AD users and groups do not get default UIDs/GIDs which won't
overlap those taken by users/groups created by domain admins?
I was just a "user" of MS AD so I had no experience in having more MS
DCs but it seems to me that when I join another DC to the domain, it
will simplify operations if the default users/groups get the same
UIDs/GIDs.
Obviously being a "secondary" DC on a domain provisioned on an MS DC can
be problematic if you trust on what tells the primary DC (maybe it won't
have the right values).
But if you reserve a given amount of UIDs/GIDs for the default AD
users/groups there should be no overlaps isn't it?

I'm sure this question had already been discussed (perhaps during the
earlier stages of samba4 development) but I just ask if someone can
explain it to me.

Thanks for your time,
Daniele.

More information about the samba-technical mailing list