wellknown and uid/gid interactions on multi DC samba AD domain

Daniele Dario d.dario76 at gmail.com
Wed May 14 07:19:24 MDT 2014 


On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
> On 14/05/14 14:06, Daniele Dario wrote:
> >
> > On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
> >> On 14/05/14 13:57, Daniele Dario wrote:
> >>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
> >>>> On 14/05/14 13:26, Daniele Dario wrote:
> >>>>> Hi again,
> >>>>>
> >>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
> >>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
> >>>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
> >>>>>>>
> >>>>>> Well done.
> >>>>>>
> >>>>>>> I have a question about the sysvol: I noticed that the group of the
> >>>>>>> sysvol folder is different on the two DCs.
> >>>>>>> On the 1st DC (4.1.0):
> >>>>>>> [root at kdc01:locks]# ls -n sysvol/
> >>>>>>> total 8
> >>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
> >>>>>>>
> >>>>>>> On the 2nd DC (4.1.7):
> >>>>>>> [root at kdc03:locks]# ls -n sysvol/
> >>>>>>> total 8
> >>>>>>> drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc
> >>>>>>>
> >>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
> >>>>>>> S-1-5-32-544
> >>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> >>>>>>> BUILTIN\Administrators 4
> >>>>>>>
> >>>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> >>>>>>> same as on the other one.
> >>>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
> >>>>> On kdc01 I get
> >>>>> # record 53
> >>>>> dn: CN=S-1-5-32-544
> >>>>> cn: S-1-5-32-544
> >>>>> objectClass: sidMap
> >>>>> objectSid: S-1-5-32-544
> >>>>> type: ID_TYPE_GID
> >>>>> xidNumber: 4
> >>>>> distinguishedName: CN=S-1-5-32-544
> >>>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
> >>>> system, it should contain this:
> >>>>
> >>>> dn: CN=CONFIG
> >>>> cn: CONFIG
> >>>> lowerBound: 3000000
> >>>> upperBound: 4000000
> >>>>
> >>>> dn: @INDEXLIST
> >>>> @IDXATTR: xidNumber
> >>>> @IDXATTR: objectSid
> >>>>
> >>>> and '4' is a lot lower than '3000000' ;-)
> >>>>
> >>>> Rowland
> >>>>
> >>> No I didn't. Would it be possible that when I provisioned the domain
> >>> (can't remember the right number but it was one of the latest alpha
> >>> releases) it was different?
> >> Possibly, I think that we need to find out just what version you are
> >> running, 'samba -V' should give us this.
> > Sorry but samba -V tells 4.1.0 on kdc01 because I upgraded it almost on
> > every release until 4.1.0 has been released.
> >
> >>> And what about the difference in type? On the older I have type:
> >>> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.
> >> I seem to remember there being a problem like this, but cannot remember
> >> just when.
> >>
> >> Rowland
> >>
> >>> Daniele.
> >>>
> >
> Could you please post the smb.conf from both DC's
> 
> Rowland
> 
Here they are:

kdc01:

# Global parameters
[global]
        workgroup = SAITEL
        realm = saitel.loc
        netbios name = KDC01
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        log file = /var/log/log.samba
        log level = 2
        max log size = 10000

        printcap name = /dev/null
        load printers = no
        printing = bsd

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

kdc03:

# Global parameters
[global]
        workgroup = SAITEL
        realm = saitel.loc
        netbios name = KDC03
        server role = active directory domain controller
        dns forwarder = 8.8.8.8
        idmap_ldb:use rfc2307 = yes
        template shell = /bin/bash
        log file = /var/log/log.samba
        log level = 2

        printing = cups
        printcap name = /var/run/cups/printcap
        load printers = yes

        rpc_server:spoolss = external
        rpc_daemon:spoolssd = fork

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
        read only = no

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = no

[printers]
        path = /var/spool/samba
        printable = yes
        printing = CUPS

[print$]
        path = /srv/samba/Printer_drivers
        comment = Printer Drivers
        writeable = yes

[homes]
        read only = no

... all the network shares

On kdc03 I'm also trying to get the print server but this will be
another story I guess :)

Daniele.

More information about the samba-technical mailing list