[Samba] Samba 4 two DCs no matching UID/GID

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 10 05:48:40 MST 2014

On 10/12/14 12:21, rintimtim at gmx.net wrote:
> Thanks for the advice of copying the idmap.ldb. That works.
> After adding zum users the uid and gid begin to differ again. I read 
> that it is not recommended to run a DC as a fileserver but in my case 
> it's not really an option. It's a network of twelve clients, so four 
> servers are incommensurate to this amount of clients.
> I searched regarding sssd, because my nsswitch.conf also has it. But 
> how do I have to configure it all?
> My actual nsswitch.conf provides the following:
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> services:   files sss
> netgroup:   files sss
> Another alternative seems to be regarding the idmap.ldb with my 
> unidirectional rsync replication of the sysvol-folder.
> *Gesendet:* Mittwoch, 10. Dezember 2014 um 11:01 Uhr
> *Von:* "Rowland Penny" <rowlandpenny at googlemail.com>
> *An:* Tim <rintimtim at gmx.net>, samba at lists.samba.org
> *Betreff:* Re: [Samba] Samba 4 two DCs no matching UID/GID
> On 09/12/14 22:49, Tim wrote:
>     But will this idmap.ldb change work for upcoming new users or
>     groups so that uid/gid will not be different?
>     The wiki tells us about built-in groups. Those have the right ids.
>     Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny
>     <rowlandpenny at googlemail.com>:
>         On 09/12/14 21:07, Tim wrote:
>             Hello all, I have a fresh install of two CentOS 7
>             machines. On DC1 I made a domain provision with
>             --use-rfc2307. In DC2 I made a join as DC - both exactly
>             as the wiki advised. In fact of its missing I added the
>             idmap use rfc2307 yes parameter to smb.conf. I will have
>             an extra share on both DCs. Today I realized, that wbinfo
>             shows different UID/GID for the same users or groups on
>             the DC's. I created the users/groups via RSAT. I don't
>             have a Unix attributes tab in RSAT. Is that my problem for
>             different uid/gid? Thanks in advance Tim
>         Hi, I think your problem is that idmap.ldb does not replicate
>         to the new DC, this means that users get different UID's on
>         the two DC's. If you run: ldbedit -e nano -H
>         /var/lib/samba/private/idmap.ldb on each DC, you will be able
>         to see the differences. The cure ? copy idmap.ldb from the
>         first DC to any secondary DC's after the join. It is
>         documented here:
>         https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near
>         the bottom of the page. Rowland
> I take it that you didn't read this page on the wiki: 
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
> You are running into one of the problems why it is not recommended to 
> use the DC as a fileserver, you have two choices here, either set up a 
> separate member server to use as a fileserver, or use sssd or nlscd to 
> pull the RFC2307 attributes that you will need to add to the users/groups.
> Whatever you do, you will need to copy idmap.ldb to any secondary DC's.
> Rowland

Did you search on the samba wiki ???? : 


More information about the samba mailing list