[Samba] WG: After Upgrade to Samba-4.3.4

[Rowland penny]

On 09/02/16 09:26, Mueller wrote:
> Hello again,
> no idea!?
>
> Both my DCs running now 4.3.4, but there is a strange behaviour,
> Ex.:
> First DC
> root at s4master wingroup]# id maurerp
> uid=90036(TPLK\maurerp) gid=100(users)
> Gruppen=100(users),3000048(TPLK\schreiben),3000038(TPLK\orbis),3000023(TPLK\
> agfa),3000009(BUILTIN\users)
>
> Second DC
>
> [root at s4slave ~]# id maurerp
> uid=90036(TPLK\maurerp) gid=100(users)
> Gruppen=100(users),3000048(TPLK\aerzte08$),3000038(TPLK\reserve09$),3000023(
> TPLK\agfa),3000001(BUILTIN\users
>
> As you see group with ID 3000048 (schreiben) is mapped on the second DC:
> 3000048(TPLK\aerzte08$)
>
>
> How can I correct this issue?
>
> Greetings
> Daniel
>
>

This is a known problem, on a DC users and groups are mapped via 
idmap.ldb, only problem is the idmap.ldb on the first DC is very 
probably not going to be the same as the idmap.ldb on the second DC, 
this is because they are not synced.

It was even worse before Samba 4.2.0, you just got numbers.

You have three choices:
Ignore it, but be aware that you may have problems if you try to copy a 
file from one DC to the other with something that ignores the owner & 
group and just relies on the uid & gid numbers.
You can copy idmap.ldb from the first DC to the second, but this would 
then entail changing the ownership of files on the second DC to the new 
uid & gidNumbers. You would also have to keep the two idmap.ldb files in 
sync.
The last choice is probably the best idea, give your users & groups 
uidNumber & gidNumber attributes, these would take precedence over the 
numbers you are using now. You would still need to change ownership of 
the files, but this would be a one time thing and replication would keep 
the two DCs in sync. You can then use ADUC to manage your users.

Rowland