[Samba] Fwd: Samba 4 two DCs no matching UID/GID

Wed Jan 14 01:56:28 MST 2015

What if I use uidNumber to avoid messing up with idmap.ldb? In the first 
domain controller works fine, ignores idmap and use uidNumber, but this 
attribute is not being replicated when a new user is created.

I explain myself a little deeper:
1-I have an AD DC, all users contain uidNumber. "wbinfo -i user" returns 
uidNumber as expected.
2-I join a second DC. LDAP is replicated correctly, uidNumber attribute 
included. "wbinfo -i user" returns uidNumber as expected.
3-I create a new user in the first DC, and add manually the 
corresponding uidNumber.
4-User is replicated fine to second DC but lacks of uidNumber set on the 
first one, thus "wbinfo -i user" does not return de same uidNumber.

The advantage of using rfc2307 is not such if uidNumber is not 
replicated. Do I have to replicate manually? Am I missing something?
Any suggestion is welcomed.

Regards,

Izan Díez Sánchez
Empresarios Agrupados
Magallanes 3
28015 Madrid
Tel. +34 91 309 80 00 (ext: 8813)
ids at empre.es

El 13/01/2015 a las 18:56, Rowland Penny escribió:
> On 13/01/15 17:40, Dania Ramirez Moya wrote:
>> ---------- Forwarded message ----------
>> From: Dania Ramirez Moya <dania181087 at gmail.com>
>> Date: Fri, 9 Jan 2015 12:12:18 -0500
>> Subject: Samba 4 two DCs no matching UID/GID
>> To: samba <samba at lists.samba.org>
>>
>> Hello list:
>> I have a install of two Debian7 machines with samba 4.1.7. On DC1 I 
>> made a
>> domain provision with --use-rfc2307. On DC2 I made a join as DC 
>> exactly as
>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC ,  I build samba4
>> with rfc2307 too. Also on additional joined Domain Controller I added 
>> the
>> parameter idmap_ldb:use rfc2307 = yes according to the wiki
>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC. I used 
>> ADUC
>> to set Unix Attributes on a user account
>>
>> I installed and configured sssd 1.10  to pull the RFC2307 attributes 
>> in two
>> DCs but the UID/GID mismatched. Do I missing some configuration?
>> Best regards
>>
>> Dania
>
> Well, not configuration, but you seem to have missed that you 
> shouldn't use the DC as a fileserver and that idmap.ldb on the second 
> DC will not match the one on the first DC. The last one is easy to 
> fix, copy idmap.ldb from the first DC to the second DC, to use the DC 
> as a fileserver will need to wait until sometime after 4.2.
>
> Rowland
>
>

---------------------------------------------------------------------
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based 
on this message or any information herein. If you have received this 
message by mistake, please advise the sender immediately by reply 
e-mail and delete this message. Thank you for your cooperation.
Visit our web page: www.empre.es

Este mensaje puede contener información confidencial o privilegiada.
Si Vd. no es el destinatario ni está autorizado por el mismo para 
recibir este mensaje, Vd. no debe usar, copiar, revelar ni tomar 
ninguna medida basada en este mensaje o en la información que 
contiene. Si Vd. ha recibido este mensaje por error, notifíquelo de 
forma inmediata al remitente por correo electrónico y borre el 
mensaje. Gracias por su cooperación.
Visite nuestra página web: www.empre.es
---------------------------------------------------------------------

Please, Do not print this message unless it is necessary. 
Our environment is in our hands.
Antes de imprimir este mensaje, asegúrese de que es necesario.
El medio ambiente está en nuestra mano.