[Samba] Validate Ids Multiple DC
Rowland penny
rpenny at samba.org
Fri Jan 29 11:41:35 UTC 2016
On 29/01/16 08:59, L.P.H. van Belle wrote:
> If you add the "not" supported winbind options from the member also to the DCs, then you will have the same resulting uid on all servers.
>
> Official not supported, but works now for more then a year here.
> ( sernet samba 4.2.7 on debian wheezy )
>
> This is my addition to the smb.conf on the DC.
> ## map id's outside to domain to tdb files.
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> ## map ids from the domain and (*) the range may not overlap !
> idmap config NTDOMAIN : backend = ad
> idmap config NTDOMAIN : schema_mode = rfc2307
> idmap config NTDOMAIN : range = 10000-3999999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind expand groups = 4
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller
>> Verzonden: vrijdag 29 januari 2016 9:21
>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>>
>> You can try to do it with the unix tab in rsat on the master dc (as I did)
>> . Both DCs have the same ids.
>> On your memberservers this will be mapped by winbind(d)
>> EX:
>>
>> [root at s4master ~]# id tester
>> uid=90000(TPLK\tester) gid=100(users)
>> Gruppen=100(users),3000051(TPLK\TerminalServer
>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
>> TPLK\HS3)
>>
>> [root at s4slave ~]# id tester
>> uid=90000(TPLK\tester) gid=100(users)
>> Gruppen=100(users),3000051(TPLK\TerminalServer
>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
>> TPLK\HS3)
>>
>> winbind(d) mapping the same ids on 2 memberservers:
>> [root at centclust1 ~]# id tester
>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
>> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
>> 1643(terminalserver
>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
>>
>>
>> [root at centclust2 ~]# id tester
>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
>> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
>> (schreiben),1643(terminalserver
>> user),1620(direktionv),100001(BUILTIN\users)
>>
>>
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
>> Gesendet: Freitag, 29. Januar 2016 00:43
>> An: samba at lists.samba.org
>> Betreff: [Samba] Validate Ids Multiple DC
>>
>> Hello!
>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
>> Fileserver, until now all ok, but I'm one doubts, how to validate that in
>> both servers the domain IDs of the users of this identical, a simple way
>> to do this validation?
>> I wanted to make sure it is a DC die fileserver has to go 100%.
>> thank you
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hi Louis, you keep saying adding the domain member lines to a DC works
for you, so I thought it was time I tried them again.
This is before adding the lines:
root at testdc1:~# getent passwd rowland
HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
Now add the lines to smb.conf:
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config HOME : backend = ad
idmap config HOME : schema_mode = rfc2307
idmap config HOME : range = 10000-3999999
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind expand groups = 4
Ran 'net cache flush' and then 'service samba-ad-dc restart'
Checked again:
root at testdc1:~# getent passwd rowland
HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
Absolutely no difference, this is with Samba 4.3.3
Rowland
More information about the samba
mailing list