[Samba] Validate Ids Multiple DC

Carlos A. P. Cunha carlos.hollow at gmail.com
Mon Feb 1 17:41:30 UTC 2016


Hello!
And my DCs now the station Ids equal, in my Fileserver this way:

DC01:
wbinfo -i userteste01
SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD 
/ userteste01: / bin / false

DC02:
wbinfo -i userteste01
SERVERAD \ userteste01: *: 3000367: 100: userteste01: / home / SERVERAD 
/ userteste01: / bin / false

My Fileserver:
wbinfo -i userteste01
userteste01: *: 13121: 5513: userteste01: / home / SERVERAD / 
userteste01: / bin / false

My smb.conf the Fileserver

[global]

netbios name = FILESERVER
workgroup = SERVERAD
#security = domain
#client schannel = no
security = ADS

realm = INTERNO.MYDOMAIN.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab


idmap config *: backend = tdb
idmap config *: range = 5000-16777216
idmap config SERVERAD: backend = rid
idmap config SERVERAD: range = 5000-33554431
idmap_ldb: use RFC2307 = Yes

winbind nss info = RFC2307
winbind trusted domains only = on
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes

vfs objects = acl_xattr
map acl inherit = Yes
store the attributes = Yes


I'm having doubts that way would have problems? and another on the 
config idmap I'm with means values ​​"suspicious"?

Thanks,

Em 29-01-2016 14:07, L.P.H. van Belle escreveu:
> Ah..
> A misunderstanding..  i dont pull from ldap. I abuse settings.
>
> I use UID/GID from AD, only the UID/GID, dont really care about the others.
> But i do obey some rules.. i'll explain.
>
> This on the DC:
> getent passwd obell
> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
>
> Its bit diffent on the member.
> getent passwd myuser
> myuser:*:10002:10000::/home/users/ myuser:/bin/bash
>
> but ! on the member running only
> getent passwd | grep myuser ( results same again as the DC )
> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
>
> how/why, dont really know, but it works perfect..
>
> and only thing i make sure is that the in AD the Unix in is always same
> what i set in the server.
> Which means only 1 ! user homedir
> And thats why i have :
>
>          template shell = /bin/bash
>          template homedir = /home/users/%U
>
> All my users user homedir /home/users/%U
> If you need to seperate that, well then above probely wont work.
>
> And the users share/folders are good protected so nobody can walk through userdirs..  not even root, if not kerberos authenticated.
>
>
>
> Now im really gone...
> Beer time..
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>> Verzonden: vrijdag 29 januari 2016 16:44
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>>
>> On 29/01/16 15:29, L.P.H. van Belle wrote:
>>> Lol...
>>> I dont know.. and i did learn know most from you :-P
>> I could never get a DC to use any rfc2307 attributes other than the
>> uidNumber & gidNumber, even after 'winbind' was replaced by 'winbindd'.
>> I even created a bug report about it.
>>> And you have reset the idmap?
>> If you mean remove rowland's record from idmap.ldb, then no, hang on I
>> will go and try it.
>>
>> OK, back again, rowland's record never made it into idmap.ldb, so we can
>> rule that out.
>>
>> Rowland
>>
>>> Greetz,
>>>
>>> .. hihi...
>>>
>>> Louis
>>>
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>




More information about the samba mailing list