[Samba] issue with multiple Samba DC and uid/gid assignment.

Rowland Penny rowlandpenny at googlemail.com
Sun Aug 25 06:23:33 MDT 2013


On 25/08/13 08:56, steve wrote:
> On Sat, 2013-08-24 at 23:02 +0000, dahopkins at comcast.net wrote:
>
>>
>> Notice that the group id and uid are both different. Why?
> How did you provision the second DC? Are they replicating OK? When they
> are, both DC's need:
> idmap_ldb use:rfc2307 = Yes
> in the [global] of their smb.conf
>
> On either DC, winbind will only pull uid and gid from AD. If you want to
> see all of rfc2307, you must use sssd or nslcd. Then getent passwd will
> show not only the correct uidNumber and gidNumber, but also the
> loginShell and unixHomeDirectory too
>
> Advice: don't use Test24.User as a username for debugging. Lose the
> capitalisation and the dot.
> HTH
> Steve
>
>
Hi Steve, I think that you have inadvertently found a bug, I have never 
run wbinfo -i on my second AD server, so I tried it and got this:

  root at dc2:~# getent passwd user
user:*:3001106:20513:user:/DOMAIN/DOMAIN/user:to/bin/bash
root at dc2:~# wbinfo -i user
DOMAIN\user:*:3000007:100::/DOMAIN/DOMAIN/user:/bin/false

Hmm, something wrong there, looked in the smb.conf created by the join:

samba-tool domain join example.com DC -Uadministrator 
--realm=example.com --dns-backend=BIND9_DLZ

There was no line: 'idmap_ldb:use rfc2307 = Yes' even though it exists 
in the main dc smb.conf.

So I added it, restarted Samba 4 and now get this:

root at dc2:~# getent passwd user
user:*:3001106:20513:user:/home/HOME/user:/bin/bash
root at dc2:~# wbinfo -i user
HOME\user:*:3001106:20513::/home/HOME/user:/bin/false

So it would seem that any secondary DC that is created is not set up to 
use RFC2307 even if the main DC is.

Rowland


More information about the samba mailing list