wellknown and uid/gid interactions on multi DC samba AD domain

Rowland Penny repenny241155 at gmail.com
Wed May 14 07:30:19 MDT 2014 

On 14/05/14 14:19, Daniele Dario wrote:
>
> On mer, 2014-05-14 at 14:07 +0100, Rowland Penny wrote:
>> On 14/05/14 14:06, Daniele Dario wrote:
>>> On mer, 2014-05-14 at 14:02 +0100, Rowland Penny wrote:
>>>> On 14/05/14 13:57, Daniele Dario wrote:
>>>>> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
>>>>>> On 14/05/14 13:26, Daniele Dario wrote:
>>>>>>> Hi again,
>>>>>>>
>>>>>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
>>>>>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
>>>>>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
>>>>>>>>>
>>>>>>>> Well done.
>>>>>>>>
>>>>>>>>> I have a question about the sysvol: I noticed that the group of the
>>>>>>>>> sysvol folder is different on the two DCs.
>>>>>>>>> On the 1st DC (4.1.0):
>>>>>>>>> [root at kdc01:locks]# ls -n sysvol/
>>>>>>>>> total 8
>>>>>>>>> drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
>>>>>>>>>
>>>>>>>>> On the 2nd DC (4.1.7):
>>>>>>>>> [root at kdc03:locks]# ls -n sysvol/
>>>>>>>>> total 8
>>>>>>>>> drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc
>>>>>>>>>
>>>>>>>>> [root at kdc03:locks]# wbinfo -G 3000000
>>>>>>>>> S-1-5-32-544
>>>>>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
>>>>>>>>> BUILTIN\Administrators 4
>>>>>>>>>
>>>>>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
>>>>>>>>> same as on the other one.
>>>>>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
>>>>>>> On kdc01 I get
>>>>>>> # record 53
>>>>>>> dn: CN=S-1-5-32-544
>>>>>>> cn: S-1-5-32-544
>>>>>>> objectClass: sidMap
>>>>>>> objectSid: S-1-5-32-544
>>>>>>> type: ID_TYPE_GID
>>>>>>> xidNumber: 4
>>>>>>> distinguishedName: CN=S-1-5-32-544
>>>>>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
>>>>>> system, it should contain this:
>>>>>>
>>>>>> dn: CN=CONFIG
>>>>>> cn: CONFIG
>>>>>> lowerBound: 3000000
>>>>>> upperBound: 4000000
>>>>>>
>>>>>> dn: @INDEXLIST
>>>>>> @IDXATTR: xidNumber
>>>>>> @IDXATTR: objectSid
>>>>>>
>>>>>> and '4' is a lot lower than '3000000' ;-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> No I didn't. Would it be possible that when I provisioned the domain
>>>>> (can't remember the right number but it was one of the latest alpha
>>>>> releases) it was different?
>>>> Possibly, I think that we need to find out just what version you are
>>>> running, 'samba -V' should give us this.
>>> Sorry but samba -V tells 4.1.0 on kdc01 because I upgraded it almost on
>>> every release until 4.1.0 has been released.
>>>
>>>>> And what about the difference in type? On the older I have type:
>>>>> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.
>>>> I seem to remember there being a problem like this, but cannot remember
>>>> just when.
>>>>
>>>> Rowland
>>>>
>>>>> Daniele.
>>>>>
>> Could you please post the smb.conf from both DC's
>>
>> Rowland
>>
> Here they are:
>
> kdc01:
>
> # Global parameters
> [global]
>          workgroup = SAITEL
>          realm = saitel.loc
>          netbios name = KDC01
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          log file = /var/log/log.samba
>          log level = 2
>          max log size = 10000
>
>          printcap name = /dev/null
>          load printers = no
>          printing = bsd
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> kdc03:
>
> # Global parameters
> [global]
>          workgroup = SAITEL
>          realm = saitel.loc
>          netbios name = KDC03
>          server role = active directory domain controller
>          dns forwarder = 8.8.8.8
>          idmap_ldb:use rfc2307 = yes
>          template shell = /bin/bash
>          log file = /var/log/log.samba
>          log level = 2
>
>          printing = cups
>          printcap name = /var/run/cups/printcap
>          load printers = yes
>
>          rpc_server:spoolss = external
>          rpc_daemon:spoolssd = fork
>
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/saitel.loc/scripts
>          read only = no
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = no
>
> [printers]
>          path = /var/spool/samba
>          printable = yes
>          printing = CUPS
>
> [print$]
>          path = /srv/samba/Printer_drivers
>          comment = Printer Drivers
>          writeable = yes
>
> [homes]
>          read only = no
>
> ... all the network shares
>
> On kdc03 I'm also trying to get the print server but this will be
> another story I guess :)
>
> Daniele.
>
I cannot see any problem there, I have also done a dive into the samba 
archives and as far as I can see the idmap.ldb range has always started 
at 3000000, so where that '4' comes from I have no idea.

I think that somehow you need to get your first DC setup (idmap.ldb 
wise) like your second DC, run sysvolreset on your first DC, rsync 
sysvol to second DC and then sysvolreset your second DC.

Rowland

More information about the samba-technical mailing list