[Samba] Validate Ids Multiple DC

Rowland penny rpenny at samba.org
Fri Jan 29 11:41:35 UTC 2016


On 29/01/16 08:59, L.P.H. van Belle wrote:
> If you add the "not" supported winbind options from the member also to the DCs, then you will have the same resulting uid on all servers.
>
> Official not supported, but works now for more then a year here.
> ( sernet samba 4.2.7 on debian wheezy )
>
> This is my addition to the smb.conf on the DC.
>          ## map id's outside to domain to tdb files.
>          idmap config * : backend = tdb
>          idmap config * : range = 2000-9999
>          ## map ids from the domain and (*) the range may not overlap !
>          idmap config NTDOMAIN : backend = ad
>          idmap config NTDOMAIN : schema_mode = rfc2307
>          idmap config NTDOMAIN : range = 10000-3999999
>
>          # Use home directory and shell information from AD
>          winbind nss info = rfc2307
>
>          winbind trusted domains only = no
>          winbind use default domain = yes
>          winbind expand groups = 4
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller
>> Verzonden: vrijdag 29 januari 2016 9:21
>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>>
>> You can try to do it with the unix tab in rsat on the master dc (as I did)
>> .  Both DCs have the same ids.
>> On your memberservers this will be mapped by winbind(d)
>> EX:
>>
>> [root at s4master ~]# id tester
>> uid=90000(TPLK\tester) gid=100(users)
>> Gruppen=100(users),3000051(TPLK\TerminalServer
>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
>> TPLK\HS3)
>>
>> [root at s4slave ~]# id tester
>> uid=90000(TPLK\tester) gid=100(users)
>> Gruppen=100(users),3000051(TPLK\TerminalServer
>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
>> TPLK\HS3)
>>
>> winbind(d)  mapping the same ids on 2 memberservers:
>> [root at centclust1 ~]# id tester
>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
>> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
>> 1643(terminalserver
>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
>>
>>
>> [root at centclust2 ~]# id tester
>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
>> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
>> (schreiben),1643(terminalserver
>> user),1620(direktionv),100001(BUILTIN\users)
>>
>>
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
>> Gesendet: Freitag, 29. Januar 2016 00:43
>> An: samba at lists.samba.org
>> Betreff: [Samba] Validate Ids Multiple DC
>>
>> Hello!
>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
>> Fileserver, until now all ok, but I'm one doubts, how to validate that in
>> both servers the domain IDs of the users of this identical, a simple way
>> to do this validation?
>> I wanted to make sure it is a DC die fileserver has to go 100%.
>> thank you
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hi Louis, you keep saying adding the domain member lines to a DC works 
for you, so I thought it was time I tried them again.

This is before adding the lines:

root at testdc1:~# getent passwd rowland
HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false

Now add the lines to smb.conf:

         ## map id's outside to domain to tdb files.
         idmap config * : backend = tdb
         idmap config * : range = 2000-9999
         ## map ids from the domain and (*) the range may not overlap !
         idmap config HOME : backend = ad
         idmap config HOME : schema_mode = rfc2307
         idmap config HOME : range = 10000-3999999

         # Use home directory and shell information from AD
         winbind nss info = rfc2307

         winbind trusted domains only = no
         winbind use default domain = yes
         winbind expand groups = 4

Ran 'net cache flush' and then 'service samba-ad-dc restart'

Checked again:

root at testdc1:~# getent passwd rowland
HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false

Absolutely no difference, this is with Samba 4.3.3

Rowland




More information about the samba mailing list