[Samba] Samba 4 two DCs no matching UID/GID
Rowland Penny
rowlandpenny at googlemail.com
Wed Dec 10 03:01:29 MST 2014
On 09/12/14 22:49, Tim wrote:
> But will this idmap.ldb change work for upcoming new users or groups
> so that uid/gid will not be different?
>
> The wiki tells us about built-in groups. Those have the right ids.
>
>
>
> Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny
> <rowlandpenny at googlemail.com>:
>
> On 09/12/14 21:07, Tim wrote:
>
> Hello all, I have a fresh install of two CentOS 7 machines. On
> DC1 I made a domain provision with --use-rfc2307. In DC2 I
> made a join as DC - both exactly as the wiki advised. In fact
> of its missing I added the idmap use rfc2307 yes parameter to
> smb.conf. I will have an extra share on both DCs. Today I
> realized, that wbinfo shows different UID/GID for the same
> users or groups on the DC's. I created the users/groups via
> RSAT. I don't have a Unix attributes tab in RSAT. Is that my
> problem for different uid/gid? Thanks in advance Tim
>
>
> Hi, I think your problem is that idmap.ldb does not replicate to the new
> DC, this means that users get different UID's on the two DC's.
>
> If you run:
>
> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb
>
> on each DC, you will be able to see the differences.
>
> The cure ? copy idmap.ldb from the first DC to any secondary DC's after
> the join.
>
> It is documented here:
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near the bottom
> of the page.
>
> Rowland
>
I take it that you didn't read this page on the wiki:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
You are running into one of the problems why it is not recommended to
use the DC as a fileserver, you have two choices here, either set up a
separate member server to use as a fileserver, or use sssd or nlscd to
pull the RFC2307 attributes that you will need to add to the users/groups.
Whatever you do, you will need to copy idmap.ldb to any secondary DC's.
Rowland
More information about the samba
mailing list