[Samba] WG: After Upgrade to Samba-4.3.4

Mueller mueller at tropenklinik.de
Tue Feb 9 13:50:12 UTC 2016 

It seems the pcs uid number interfere with the goup gids. Where the h.. get the pcs the gid

# id mikrobio2$
uid=3000065(TPLK\mikrobio2$) gid=3000017(TPLK\domain computers) Gruppen=3000017(TPLK\domain computers),3000065(TPLK\mikrobio2$)

getent group mikrobio2$
TPLK\mikrobio2$:x:3000065:TPLK\mikrobio2$
getent group ambshare
TPLK\ambshare:x:3000065:

This results in nirvana :
Ambulanz1 is a share with security= group ambshare rwx
[root at s4slave wingroup]# getfacl ambulanz1
# file: ambulanz1
# owner: root
# group: root
user::rwx
user:root:rwx
user:TPLK\134guest:rwx
group::rwx
group:root:rwx
group:TPLK\134guest:rwx
group:TPLK\134domain\040admins:rwx
group:TPLK\134mikrobio2$:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:TPLK\134guest:rwx
default:group::rwx
default:group:root:---
default:group:TPLK\134guest:rwx
default:group:TPLK\134domain\040admins:rwx
default:group:TPLK\134mikrobio2$:rwx
default:mask::rwx
default:other::--

See my confs worked bfore update:

S4MASTER:

# Global parameters
[global]
        workgroup = TPLK
        realm = tplk.loc
        netbios name = S4MASTER
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        idmap_ldb:use rfc2307 = yes
        follow symlinks = yes
         wide links = Yes
        unix extensions= no

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/tplk.loc/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[home]
comment=home s4master verzeichnis auf gluster node1
vfs objects= recycle
##vfs objects= recycle, glusterfs
recycle:repository= /%P/%U/.Papierkorb
##glusterfs:volume= sambacluster
##glusterfs:volfile_server = 172.17.1.1
recycle:exclude = *.tmp,*.temp,*.log,*.ldb,*.TMP,?~$*,~$*
recycle:keeptree = Yes
recycle:exclude = ?~$*,~$*,*.tmp,*.temp,*.TMP,Thumbs.db
recycle:exclude_dir = .Papierkorb,Papierkorb,tmp,temp,profile,.profile
recycle:touch_mtime = yes
recycle:versions = Yes
recycle:minsize = 1
msdfs root=yes
path=/mnt/glusterfs/ads/home
read only=no
posix locking =NO
kernel share modes = No
##see only home self
access based share enum=yes
hide unreadable=yes
hide unwriteable files=yes

EXAMPLE SHARE

[edv]
comment=edv s4master verzeichnis auf gluster node1
vfs objects= recycle
recycle:repository= /%P/Papierkorb
recycle:exclude = *.tmp,*.temp,*.log,*.ldb,*.TMP,?~$*,~$*,Thumbs.db
recycle:keeptree = Yes
recycle:exclude_dir = .Papierkorb,Papierkorb,tmp,temp,profile,.profile
recycle:touch_mtime = yes
recycle:versions = Yes
recycle:minsize = 1
msdfs root=yes
path=/mnt/glusterfs/ads/wingroup/edv
read only=no
posix locking =NO
kernel share modes = No
access based share enum=yes
hide unreadable=yes
hide unwriteable files=yes
veto files = Thumbs.db
delete veto files = yes


All shares are linked over a DFS tree

S4SLAVE just the same:

# Global parameters
[global]
        workgroup = TPLK
        realm = tplk.loc
        netbios name = S4SLAVE
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
        follow symlinks = yes
        wide links = yes
        unix extensions = no
   idmap_ldb:use rfc2307 = yes



[netlogon]
        path = /usr/local/samba/var/locks/sysvol/tplk.loc/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[home]
comment=home s4slave verzeichnis auf gluster node2
vfs objects= recycle
recycle:repository= /%P/%U/.Papierkorb
recycle:exclude = *.tmp,*.temp,*.log,*.ldb,*.TMP,?~$*,~$*,Thumbs.db
recycle:keeptree = Yes
recycle:exclude_dir = .Papierkorb,Papierkorb,tmp,temp,profile,.profile
recycle:touch_mtime = yes
recycle:versions = Yes
recycle:minsize = 1
msdfs root=yes
path=/mnt/glusterfs/ads/home
read only=no
posix locking =NO
kernel share modes = No
access based share enum=yes
hide unreadable=yes
hide unwriteable files=yes
veto files = Thumbs.db
delete veto files = yes

[edv]
comment=edv s4slave verzeichnis auf gluster node 2
vfs objects= recycle
recycle:repository= /%P/Papierkorb
recycle:exclude = *.tmp,*.temp,*.log,*.ldb,*.TMP,?~$*,~$*,Thumbs.db
recycle:keeptree = Yes
recycle:exclude_dir = .Papierkorb,Papierkorb,tmp,temp,profile,.profile
recycle:touch_mtime = yes
recycle:versions = Yes
recycle:minsize = 1
msdfs root=yes
path=/mnt/glusterfs/ads/wingroup/edv
read only=no
posix locking =NO
kernel share modes = No
access based share enum=yes
hide unreadable=yes
hide unwriteable files=yes
veto files = Thumbs.db
delete veto files = yes




EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen 
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de 




-----Ursprüngliche Nachricht-----
Von: Rowland penny [mailto:rpenny at samba.org] 
Gesendet: Dienstag, 9. Februar 2016 13:34
An: samba at lists.samba.org
Betreff: Re: [Samba] WG: After Upgrade to Samba-4.3.4

On 09/02/16 10:55, Mueller wrote:
> What I have done bevor updating to 4.3.4 and it was working until then.
>
> I userd the map unix tab in ADUC and gave uid and gid to all users /groups  but administrator.
> This worked until the update. Now the dcs mix up only!!! group ids 
> with computer ids (security tab)
>
>
> root at s4slave exim]# getent group personal
> TPLK\personal:x:3000044:
>
> root at s4slave exim]# getent group reserve09$ 
> TPLK\reserve09$:x:3000038:TPLK\reserve09$
>
>
>
> [root at s4master ~]# getent group personal  
> <-----------------------------------
> TPLK\personal:x:3000044:
>
> [root at s4master ~]#  getent group 
> reserve09$<-----------------------------
> TPLK\reserve09$:x:3000044:TPLK\reserve09$
>
> Is there a way I can change the GID of reserve09$ back to hits originaly?
>
> ADUC--> Tab >>Attribute change?
>
>

I would start by getting the idmap.ldb files in sync, in your earlier post there was this:

First DC: 3000009(BUILTIN\users)
Second DC: 3000001(BUILTIN\users

This can only happen if the idmap_ldb files are out of sync

As for 'reserve09$', this is a computer and doesn't need a gidnumber, if getting idmap.ldb in sync doesn't cure this and your computers don't have gidNumber attributes, then you may have found a bug.

Can you please post the smb.conf files from the two DCs.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list