[Samba] samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.

Rowland Penny rowlandpenny at googlemail.com
Wed Apr 29 01:41:25 MDT 2015


On 29/04/15 08:30, L.P.H. van Belle wrote:
> Hai Rowland / Andrey,
>
>
> that.. was a stupid one to miss..
> that was because it was checking against defaults of samba, forgot to put that one back..
> and yes, tested it also with, and im noticing the same. (different id's )
> so.. back to winbind... and now id's are same again..
>
> thanks. .
>
> and andrey, im using my sysvol scripts to set it up.
> have a look here, https://secure.bazuin.nl/scripts/
>
> new version 1.0.5 for  : 3-setup-sysvol-bidirectional.sh
>
> last changes.:
> # 2015-02-24: 1.0.4: corrected the mixed up of PATH and BASE in line 97 ( now really no more double sysvol )
> # 2015-04-29: 1.0.5: added extra copy of idmap.ldb, to make sure the uids/gids on both servers are correct.
> #                    samba 4.2.1 did complain about wrong uid/gids in the sync.
> #                    copy of sysvol did not always work, fixed it,
> #                    removed the copy of sysvol on dc2, due to above fixed not needed anymore.
> #                    added notification, when using samba 4.2 and winbindd, which is not supported, due to different ids
> #                    even when idmap.ldb is copied.
> #
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Andrey Repin [mailto:anrdaemon at yandex.ru]
>> Verzonden: dinsdag 28 april 2015 22:16
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba 4.2.1 copy idmap...and problems
>> with bi-directional sysvolsync.
>>
>> Greetings, L.P.H. van Belle!
>>
>>> Im try to get my id for administrator groups on both server the same.
>>>   
>>> with 4.1.17 the solution was simple..
>>> we stop samba on both servers.
>>> scp /var/lib/samba/private/idmap.ldb
>> root at 192.168.0.2:/var/lib/samba/private/
>>>   
>>> started samba, and the id's where the same.
>>>   
>>> Im using winbindd now with samba 4.2.1
>>> but...
>>>   
>>> DC1:  id administrator
>>> uid=0(root) gid=100(users)
>> groups=0(root),100(users),3000004(group policy
>>> creator owners),3000006(enterprise admins),
>>> 3000008(domain admins),3000007(schema admins),3000005(denied
>> rodc password
>>> replication group),3000009(BUILTIN\users),
>>> 3000000(BUILTIN\administrators)
>>> id administrator
>>> uid=0(root) gid=100(users)
>> groups=0(root),100(users),3000011(group policy
>>> creator owners),3000010(enterprise admins),
>>> 3000007(domain admins),3000009(schema admins),3000008(denied
>> rodc password
>>> replication group),3000001(BUILTIN\users),
>>> 3000000(BUILTIN\administrators)
>> Louis... welcome to my everyday nightmare for the past month.
>>
>>> see the differences here..
>>>   
>>> What am i missing..
>>> Because of this the bi-directional sysvol sync does not works ok !!
>> How exactly you are syncing it?
>>   
>>> config used :
>>> # Global parameters
>>> [global]
>>>          workgroup = BAZRTD
>>>          realm = ROTTERDAM.BAZUIN.NL
>>>          netbios name = RTD-DC2
>>>          server role = active directory domain controller
>>>          server services = -dns
>>>   
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config * :backend = tdb
>>>          idmap config * :range = 2000-9999
>>>          idmap config BAZRTD : backend = ad
>>>          idmap config BAZRTD : range = 10000-3999999
>>>   
>>>          winbind nss info = rfc2307
>>>          winbind trusted domains only = no
>>>          winbind use default domain = yes
>> Aside from "idmap config <DOMAIN> : schema_mode = rfc2307"
>> pointed by Rowland,
>> make sure you don't have overlapped UID's in idmap and SAM.
>>
>>
>> -- 
>> With best regards,
>> Andrey Repin
>> Tuesday, April 28, 2015 23:13:15
>>
>> Sorry for my terrible english...
>>

OK Louis, you can confirm that you get different IDs between DCs when 
using 'winbindd', so you should have logs that show this, so will you 
please log a bug report.

Rowland



More information about the samba mailing list