[Samba] Samba 4 two DCs no matching UID/GID
Rowland Penny
rowlandpenny at googlemail.com
Wed Dec 10 05:48:40 MST 2014
On 10/12/14 12:21, rintimtim at gmx.net wrote:
> Thanks for the advice of copying the idmap.ldb. That works.
> After adding zum users the uid and gid begin to differ again. I read
> that it is not recommended to run a DC as a fileserver but in my case
> it's not really an option. It's a network of twelve clients, so four
> servers are incommensurate to this amount of clients.
> I searched regarding sssd, because my nsswitch.conf also has it. But
> how do I have to configure it all?
> My actual nsswitch.conf provides the following:
> passwd: files sss
> shadow: files sss
> group: files sss
> services: files sss
> netgroup: files sss
> Another alternative seems to be regarding the idmap.ldb with my
> unidirectional rsync replication of the sysvol-folder.
> *Gesendet:* Mittwoch, 10. Dezember 2014 um 11:01 Uhr
> *Von:* "Rowland Penny" <rowlandpenny at googlemail.com>
> *An:* Tim <rintimtim at gmx.net>, samba at lists.samba.org
> *Betreff:* Re: [Samba] Samba 4 two DCs no matching UID/GID
> On 09/12/14 22:49, Tim wrote:
>
> But will this idmap.ldb change work for upcoming new users or
> groups so that uid/gid will not be different?
>
> The wiki tells us about built-in groups. Those have the right ids.
>
>
> Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny
> <rowlandpenny at googlemail.com>:
>
> On 09/12/14 21:07, Tim wrote:
>
> Hello all, I have a fresh install of two CentOS 7
> machines. On DC1 I made a domain provision with
> --use-rfc2307. In DC2 I made a join as DC - both exactly
> as the wiki advised. In fact of its missing I added the
> idmap use rfc2307 yes parameter to smb.conf. I will have
> an extra share on both DCs. Today I realized, that wbinfo
> shows different UID/GID for the same users or groups on
> the DC's. I created the users/groups via RSAT. I don't
> have a Unix attributes tab in RSAT. Is that my problem for
> different uid/gid? Thanks in advance Tim
>
> Hi, I think your problem is that idmap.ldb does not replicate
> to the new DC, this means that users get different UID's on
> the two DC's. If you run: ldbedit -e nano -H
> /var/lib/samba/private/idmap.ldb on each DC, you will be able
> to see the differences. The cure ? copy idmap.ldb from the
> first DC to any secondary DC's after the join. It is
> documented here:
> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near
> the bottom of the page. Rowland
>
>
> I take it that you didn't read this page on the wiki:
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>
> You are running into one of the problems why it is not recommended to
> use the DC as a fileserver, you have two choices here, either set up a
> separate member server to use as a fileserver, or use sssd or nlscd to
> pull the RFC2307 attributes that you will need to add to the users/groups.
>
> Whatever you do, you will need to copy idmap.ldb to any secondary DC's.
>
> Rowland
Did you search on the samba wiki ???? :
https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
Rowland
More information about the samba
mailing list