[Samba] Fwd: Samba 4 two DCs no matching UID/GID

Rowland Penny rowlandpenny at googlemail.com
Wed Jan 14 02:49:07 MST 2015

On 14/01/15 08:56, Izan Díez Sánchez wrote:
> What if I use uidNumber to avoid messing up with idmap.ldb? In the 
> first domain controller works fine, ignores idmap and use uidNumber, 
> but this attribute is not being replicated when a new user is created.
> I explain myself a little deeper:
> 1-I have an AD DC, all users contain uidNumber. "wbinfo -i user" 
> returns uidNumber as expected.

Ah, but do your users actually have a 'uidNumber' attribute ? Did you 
add them ? because if you didn't, the 'uidNumber' you are referring to 
is actually a 'xidNumber' that is stored in idmap.ldb
> 2-I join a second DC. LDAP is replicated correctly, uidNumber 
> attribute included. "wbinfo -i user" returns uidNumber as expected.
> 3-I create a new user in the first DC, and add manually the 
> corresponding uidNumber.

Where are you adding the 'uidNumber' ?

> 4-User is replicated fine to second DC but lacks of uidNumber set on 
> the first one, thus "wbinfo -i user" does not return de same uidNumber.

Light is possibly dawning here, are you by any chance altering 
idmap.ldb, because doing it this way will give you the problem you are 
having, idmap.ldb is *not* synced between DC's.

By the way, can you please stop referring to your servers as PDC & BDC, 
they are all DC's, a PDC is a totally different type of domain controller.

> The advantage of using rfc2307 is not such if uidNumber is not 
> replicated. Do I have to replicate manually? Am I missing something?
> Any suggestion is welcomed.
> Regards,
> Izan Díez Sánchez
> Empresarios Agrupados
> Magallanes 3
> 28015 Madrid
> Tel. +34 91 309 80 00 (ext: 8813)
> ids at empre.es
> El 13/01/2015 a las 18:56, Rowland Penny escribió:
>> On 13/01/15 17:40, Dania Ramirez Moya wrote:
>>> ---------- Forwarded message ----------
>>> From: Dania Ramirez Moya <dania181087 at gmail.com>
>>> Date: Fri, 9 Jan 2015 12:12:18 -0500
>>> Subject: Samba 4 two DCs no matching UID/GID
>>> To: samba <samba at lists.samba.org>
>>> Hello list:
>>> I have a install of two Debian7 machines with samba 4.1.7. On DC1 I 
>>> made a
>>> domain provision with --use-rfc2307. On DC2 I made a join as DC 
>>> exactly as
>>> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC ,  I build 
>>> samba4
>>> with rfc2307 too. Also on additional joined Domain Controller I 
>>> added the
>>> parameter idmap_ldb:use rfc2307 = yes according to the wiki
>>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC. I used 
>>> ADUC
>>> to set Unix Attributes on a user account
>>> I installed and configured sssd 1.10  to pull the RFC2307 attributes 
>>> in two
>>> DCs but the UID/GID mismatched. Do I missing some configuration?
>>> Best regards
>>> Dania
>> Well, not configuration, but you seem to have missed that you 
>> shouldn't use the DC as a fileserver and that idmap.ldb on the second 
>> DC will not match the one on the first DC. The last one is easy to 
>> fix, copy idmap.ldb from the first DC to the second DC, to use the DC 
>> as a fileserver will need to wait until sometime after 4.2.
>> Rowland

More information about the samba mailing list