[Samba] Fwd: Samba 4 two DCs no matching UID/GID
rowlandpenny at googlemail.com
Wed Jan 14 02:49:07 MST 2015
On 14/01/15 08:56, Izan Díez Sánchez wrote:
> What if I use uidNumber to avoid messing up with idmap.ldb? In the
> first domain controller works fine, ignores idmap and use uidNumber,
> but this attribute is not being replicated when a new user is created.
> I explain myself a little deeper:
> 1-I have an AD DC, all users contain uidNumber. "wbinfo -i user"
> returns uidNumber as expected.
Ah, but do your users actually have a 'uidNumber' attribute ? Did you
add them ? because if you didn't, the 'uidNumber' you are referring to
is actually a 'xidNumber' that is stored in idmap.ldb
> 2-I join a second DC. LDAP is replicated correctly, uidNumber
> attribute included. "wbinfo -i user" returns uidNumber as expected.
> 3-I create a new user in the first DC, and add manually the
> corresponding uidNumber.
Where are you adding the 'uidNumber' ?
> 4-User is replicated fine to second DC but lacks of uidNumber set on
> the first one, thus "wbinfo -i user" does not return de same uidNumber.
Light is possibly dawning here, are you by any chance altering
idmap.ldb, because doing it this way will give you the problem you are
having, idmap.ldb is *not* synced between DC's.
By the way, can you please stop referring to your servers as PDC & BDC,
they are all DC's, a PDC is a totally different type of domain controller.
> The advantage of using rfc2307 is not such if uidNumber is not
> replicated. Do I have to replicate manually? Am I missing something?
> Any suggestion is welcomed.
> Izan Díez Sánchez
> Empresarios Agrupados
> Magallanes 3
> 28015 Madrid
> Tel. +34 91 309 80 00 (ext: 8813)
> ids at empre.es
> El 13/01/2015 a las 18:56, Rowland Penny escribió:
>> On 13/01/15 17:40, Dania Ramirez Moya wrote:
>>> ---------- Forwarded message ----------
>>> From: Dania Ramirez Moya <dania181087 at gmail.com>
>>> Date: Fri, 9 Jan 2015 12:12:18 -0500
>>> Subject: Samba 4 two DCs no matching UID/GID
>>> To: samba <samba at lists.samba.org>
>>> Hello list:
>>> I have a install of two Debian7 machines with samba 4.1.7. On DC1 I
>>> made a
>>> domain provision with --use-rfc2307. On DC2 I made a join as DC
>>> exactly as
>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , I build
>>> with rfc2307 too. Also on additional joined Domain Controller I
>>> added the
>>> parameter idmap_ldb:use rfc2307 = yes according to the wiki
>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC. I used
>>> to set Unix Attributes on a user account
>>> I installed and configured sssd 1.10 to pull the RFC2307 attributes
>>> in two
>>> DCs but the UID/GID mismatched. Do I missing some configuration?
>>> Best regards
>> Well, not configuration, but you seem to have missed that you
>> shouldn't use the DC as a fileserver and that idmap.ldb on the second
>> DC will not match the one on the first DC. The last one is easy to
>> fix, copy idmap.ldb from the first DC to the second DC, to use the DC
>> as a fileserver will need to wait until sometime after 4.2.
More information about the samba