[Samba] Vampire

Christian Huldt christian at solvare.se
Tue Nov 4 07:37:06 MST 2014 

Sorry for the delay, there is some politics as well :-(

Marc Muehlfeld skrev 2014-10-24 03:07:
> Am 24.10.2014 um 00:18 schrieb Christian Huldt:
>>> What kind of oddities have you encountered? Maybe it's something that
>>> can be fixed.
>>
>> GPO's stopped working, ...
> 
> Can you
> https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
> Reset the SysVol ACLs on every DC.

Most interesting, seems someone didn't read the docs appropriately...
> 
> Also consider upgrading to a recent version of Samba. The early 4.0
> releases had some issues about ACLs, etc. I think it was fixed in 4.0.5
> already, but I'm not sure any more. And a recent version isn't bad if
> you're having problems. Maybe some (other) problems are gone than, too.

That's the current plan, after yet another
samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
as we found 75 errors...

> 
>> ... and the two dcs have different uidNumber and
>> gidNumber for users - and we never managed to get those consistent om
>> memberservers.
> 
> Where do the DCs get the UIDs/GIDs from? RFC2307? Then it should be the
> same on all DCs, if the way it's configured to retrive the IDs uses the
> IDs from the directory. If it's sssd or winbind, configured to create
> their own (local) IDs, then it's normal that they differ on each host.
> 
> This might be interesting for you:
> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC

We have been using rfs2307 from the start...
> 
> Can you check
> * if the users/groups have a uidNumber/gidNumber attribute?

Yes, they do.

> * if winbind/sssd/nslcd is used to retrieve the accounts on the
> DC/Member and post the corresponding config?
> 
winbind

on the dc:

        idmap_ldb:use rfc2307 = yes

        idmap config *:backend = tdb
        idmap config *:range = 5001-9999
        idmap config ARKITEKT:backend = ad
        idmap config ARKITEKT:schema_mode = rfc2307
        idmap config ARKITEKT:range = 10000-4000000

        winbind nss info = rfc2307
        winbind trusted domains only = no
        winbind use default domain = yes
        winbind enum users  = yes
        winbind enum groups = yes

(idmap config ARKITEKT:backend = ad seems a bit strange on a dc?)

member:


   #idmap config *:backend = tdb
   #idmap config *:range = 5001-9999
   idmap config ARKITEKT:backend = ad
   idmap config ARKITEKT:schema_mode = rfc2307
   idmap config ARKITEKT:range = 10000-4000000

   winbind nss info = rfc2307
   winbind trusted domains only = no
   winbind use default domain = yes

(Shouldn't we have "idmap_ldb:use rfc2307 = yes" here as well?)

> 
>>> Depending on the size of your environment (users, groups, machine
>>> accounts, etc.) it's worth to start from scratch.
>>
>> That seems to be plan so far...
>>
>> I plan to see what happens if I join a new dc and remove the old ones,
>> but need to have a plan B...
> 
> If your IDs are not stored in the AD, then they will still be different.
> 
> And even if you want to demote the old DCs, you will slip into a further
> problem: You have to transfer the FSMO roles first to the new one and
> then demote the old. But not everything is transfered and you can't
> demote the DC(s) which owned the FSMO roles.

As I said before, I know too little of Windows to be a samba admin, what
is FSMO?

More information about the samba mailing list