[Samba] [PLUG] Problems using multiple Samba servers in a Win2003 AD domain - more

Mike Leone turgon at mike-leone.com
Mon May 3 18:21:24 MDT 2010

On 05/03/2010 04:14 PM, Dale Schroeder wrote:
> On 05/02/2010 10:32 PM, Mike Leone wrote:
>> Here's what I don't understand - the user I am trying to mount shares
>> with, does not show up the same on both systems, yet the smb.confs are
>> the same.
>> > From workhorse:
>> $ getent passwd
>> <snip>
>> DACRIB+turgon:*:10007:10012:Mike Leone:/home/DACRIB/turgon:/bin/bash
>> $ getent group
>> <snip>
>> DACRIB+domain users:x:10012:
>> > From Dual-Booter:
>> $ getent passwd
>> <snip>
>> DACRIB+turgon:*:10003:10000:Mike Leone:/home/DACRIB/turgon:/bin/bash
>> $ getent group
>> <snip>
>> DACRIB+domain users:x:10000:
>> Is this the reason I can't mount? Shouldn't the group IDs be equivalent
>> on both Samba servers, especially since the smb.confs have the same
>> settings?
> Mike,
> Since I see you're using RID for the idmap backend, 

Only because I found a web howto that recommended it. :-) Apparently, I
need the domain uid and gid to be the same on different Samba servers,
and this page recommend RID as the way to do it.

> yes, the user and
> group ID's should be the same across all Samba servers.
> I can't say if that's your only problem.  You might try regenerating
> /var/cache/samba/idmap_cache.tdb on both systems to see
> which is correct.  Be aware that you will have to reset directory/file
> permissions on the incorrect system after this is done.

How do I do that? Do I just stop winbind and samba; delete the
idmap_cache.tdb; and restart winbind and samba?

I believe I had started fresh, by leaving the domain; deleting all .tdb
files; rejoining the domain. But I may be mis-remembering ...

> If you only have one domain, 

I do.

>you might also try the simpler, old-style idmap_rid declaration.
>     #idmap config DACRIB:range = 10000 - 20000
>     #idmap config DACRIB:backend = rid
>     #idmap config DACRIB:schema_mode = rfc2307
>     idmap backend = rid:DACRIB=10000-20000
> For testing purposes, also note that for idmap_rid, the defaults for
> "auth methods" and "winbind nss info" are  usually sufficient.

I can give that a shot, sure. :-)

> Although it may not matter, there are some significant differences in
> the smb.conf's.  Specifically, in Dual-Booter, you have
> set some parameters in [global] (that are normally reserved for shares)
> which are not declared in workhorse.
> [global]
>     read only = No
>     create mask = 0700
>     directory mask = 0775

I can lose those, no big deal.

> Additionally, Dual-Booter has the following, but workhorse does not.
>     invalid users = root

I am told (on another list) that I will need to use nss_ldap, if I
want(need?) to keep domain lookups consistent across Samba servers.
Using winbind for NSS only guarantees consistent uid/gids on one server.

Such conflicting information is what makes these ... less than
enjoyable. :-)

More information about the samba mailing list