[Samba] Samba 4 two DCs no matching UID/GID
Tim
rintimtim at gmx.net
Wed Dec 10 10:30:45 MST 2014
I will try this tomorrow. Possibly this is my fix.
When a domain is provisioned with rfc2307 it would make sense that Unix attributes especially uid/gid would automatically be set.
A member also needs this to be set for unique fs acls right?
Am 10. Dezember 2014 18:07:02 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 10/12/14 16:33, Tim wrote:
>> I think I will only need uid and gid due to fs stuff. There are only
>> Windows clients in that domain.
>> So when the IDs are the same on both DCs, all will be fine I think.
>>
>> In RSAT there are no Unix attributes set. As an example: user1 has
>uid
>> 3000021 on DC1 (first provisioned one). DRS seems fine. On DC2 user1
>> gets uid 3000017.
>> If I set ID in RSAT Unix attributes after choosing domain, the IDs
>> mentioned above will be overwritten? Standard in Unix attributes is
>> that ID is not set. E.g. I set ID 2000021 in RSAT this ID will be set
>
>> for user1 on both DCs because of use rfc2307 = yes?
>>
>> Regards
>> Tim
>>
>> Am 10. Dezember 2014 16:10:58 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>:
>>
>> On 10/12/14 14:39, Tim wrote:
>>
>> I found this. But I didn't find it related to DC idmapping
>> replication. I have two pieces of hardware. My goal is
>realize
>> an active directory for the windows clients and a file
>server.
>> The AD should have redundancy (this is why I provisioned two
>> DCs). The file should integrate snapshots like a NetApp
>system
>> (snapshots are done by rsnapshot). The snapshot functionality
>> works so far by mounting cifs shares read only of the backup
>> hardware. But I will try this via NFS due to permissions.
>> Mounting cifs shares leads to irritating permissions of
>> ~snapshot folders ("Everyone" has full permissions). So how
>> would sssd help to replicate the ids regarding idmapping to
>> the secondary DC? It seems that this is my only problem.
>> Another option is to have only one DC with NFS regarding
>> snapshots and a file server who is integrating the snapshots
>> as mentioned above. But then I have to backup the idmapping
>> file of the file server or does it get the ids from the AD DC
>> so that I don't have to backup? The FS stores the ACL by
>using
>> the IDs. I am using XFS. Thanks in advance Tim Am 10.
>Dezember
>> 2014 13:48:40 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>: On 10/12/14 12:21,
>> rintimtim at gmx.net wrote: Thanks for the advice of copying the
>> idmap.ldb. That works. After adding zum users the uid and gid
>> begin to differ again. I read that it is not recommended to
>> run a DC as a fileserver but in my case it's not really an
>> option. It's a network of twelve clients, so four servers are
>> incommensurate to this amount of clients. I searched
>regarding
>> sssd, because my nsswitch.conf also has it. But how do I have
>> to configure it all? My actual nsswitch.conf provides the
>> following: passwd: files sss shadow: files sss group: files
>> sss services: files sss netgroup: files sss Another
>> alternative seems to be regarding the idmap.ldb with my
>> unidirectional rsync replication of the sysvol-folder.
>> *Gesendet:* Mittwoch, 10. Dezember 2014 um 11:01 Uhr *Von:*
>> "Rowland Penny" <rowlandpenny at googlemail.com> *An:* Tim
>> <rintimtim at gmx.net>, samba at lists.samba.org *Betreff:* Re:
>> [Samba] Samba 4 two DCs no matching UID/GID On 09/12/14
>22:49,
>> Tim wrote: But will this idmap.ldb change work for upcoming
>> new users or groups so that uid/gid will not be different?
>The
>> wiki tells us about built-in groups. Those have the right
>ids.
>> Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny
>> <rowlandpenny at googlemail.com>: On 09/12/14 21:07, Tim wrote:
>> Hello all, I have a fresh install of two CentOS 7 machines.
>On
>> DC1 I made a domain provision with --use-rfc2307. In DC2 I
>> made a join as DC - both exactly as the wiki advised. In fact
>> of its missing I added the idmap use rfc2307 yes parameter to
>> smb.conf. I will have an extra share on both DCs. Today I
>> realized, that wbinfo shows different UID/GID for the same
>> users or groups on the DC's. I created the users/groups via
>> RSAT. I don't have a Unix attributes tab in RSAT. Is that my
>> problem for different uid/gid? Thanks in advance Tim Hi, I
>> think your problem is that idmap.ldb does not replicate to
>the
>> new DC, this means that users get different UID's on the two
>> DC's. If you run: ldbedit -e nano -H
>> /var/lib/samba/private/idmap.ldb on each DC, you will be able
>> to see the differences. The cure ? copy idmap.ldb from the
>> first DC to any secondary DC's after the join. It is
>> documented here:
>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near
>> the bottom of the page. Rowland I take it that you didn't
>read
>> this page on the wiki:
>> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO You are
>> running into one of the problems why it is not recommended to
>> use the DC as a fileserver, you have two choices here, either
>> set up a separate member server to use as a fileserver, or
>use
>> sssd or nlscd to pull the RFC2307 attributes that you will
>> need to add to the users/groups. Whatever you do, you will
>> need to copy idmap.ldb to any secondary DC's. Rowland Did you
>> search on the samba wiki ???? :
>>
>https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
>> Rowland
>>
>>
>>
>> OK, another
>wikipage:https://wiki.samba.org/index.php/RFC2307_backend
>>
>> The only way to ensure that your users have consistent uidNumbers
>&
>> gidNumbers on **any** Unix machine, is to use the RFC2307
>attributes.
>> The attributes are all available out of the box with Samba4, you
>just
>> have to give your users and groups the required attributes.
>>
>> Once you have given your users & groups these attributes, you
>then have
>> to use something to pull these attributes. Winbind is available
>from
>> Samba, but winbind on the DC is different from the winbind that
>is used
>> on a member server or client. The winbind that is available on
>the DC
>> will not pull any RFC2307 attributes other than 'uidNumber' &
>> 'gidNumber'. What this means is, if you want to use different
>> unixHomeDirectories & loginShell's, you need to use sssd or
>nlscd.
>>
>> Rowland
>>
>
>By default, no users have a uidNumber and no groups have a gidNumber.
>If
>you use the UNIX_Attributes tab in ADUC, the default start number is
>10000, though you can change this, I wouldn't bother. Just update any
>users via ADUC, AD will then store the next uidNumber (or gidNumber)
>for
>you. If you then go to the DC and run 'getent passwd <the user you just
>
>updated on ADUC>', you will find that the users ID number will have
>changed to whatever you used in ADUC. This same command should give the
>
>same result on the second DC, though there may be a problem on both
>DC's
>if the cache hasn't cleared, if so, wait a short while, or run 'net
>cache flush'.
>
>If you update users with ADUC, do not add users with samba-tool and try
>
>to add the users uidNumber at the same time, you could use a number
>that
>is already in use for another user. You can use the same number for a
>group as a user, they are different objects.
>
>If you do use ADUC to add the users uidNumber and the user already has
>any info stored on the DC, you will need to change the ownership of
>this
>info to the user (the info will show as belonging to the users old
>uidNumber).
>
>Rowland
More information about the samba
mailing list