[Samba] issue with multiple Samba DC and uid/gid assignment.

Rowland Penny rowlandpenny at googlemail.com
Sun Aug 25 06:23:33 MDT 2013

On 25/08/13 08:56, steve wrote:
> On Sat, 2013-08-24 at 23:02 +0000, dahopkins at comcast.net wrote:
>> Notice that the group id and uid are both different. Why?
> How did you provision the second DC? Are they replicating OK? When they
> are, both DC's need:
> idmap_ldb use:rfc2307 = Yes
> in the [global] of their smb.conf
> On either DC, winbind will only pull uid and gid from AD. If you want to
> see all of rfc2307, you must use sssd or nslcd. Then getent passwd will
> show not only the correct uidNumber and gidNumber, but also the
> loginShell and unixHomeDirectory too
> Advice: don't use Test24.User as a username for debugging. Lose the
> capitalisation and the dot.
> Steve
Hi Steve, I think that you have inadvertently found a bug, I have never 
run wbinfo -i on my second AD server, so I tried it and got this:

  root at dc2:~# getent passwd user
root at dc2:~# wbinfo -i user

Hmm, something wrong there, looked in the smb.conf created by the join:

samba-tool domain join example.com DC -Uadministrator 
--realm=example.com --dns-backend=BIND9_DLZ

There was no line: 'idmap_ldb:use rfc2307 = Yes' even though it exists 
in the main dc smb.conf.

So I added it, restarted Samba 4 and now get this:

root at dc2:~# getent passwd user
root at dc2:~# wbinfo -i user

So it would seem that any secondary DC that is created is not set up to 
use RFC2307 even if the main DC is.


More information about the samba mailing list