[Samba] Validate Ids Multiple DC
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 29 12:07:55 UTC 2016
Hai Rowland.
What you tried is ok, or im misunderstanding you.
For me :
All members give me.
getent passwd myuser
myuser:*:10002:10000::/home/users/myuser:/bin/bash
id myuser
uid=10002(myuser) gid=10000(domain users)
the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17
and on the DCs. ( only sernet samba 4.2.7 )
getent passwd myuser
myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
id myuser
uid=10002(myuser) gid=10000(domain users)
forgot to mention 1 restriction.
In the DC's i also have
template shell = /bin/bash
template homedir = /home/users/%U
The restriction is that you must use above shell and homedirs for all you users and must be the same in the AD unix tab.
The GECOS is different, but who uses that..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: vrijdag 29 januari 2016 12:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>
> On 29/01/16 08:59, L.P.H. van Belle wrote:
> > If you add the "not" supported winbind options from the member also to
> the DCs, then you will have the same resulting uid on all servers.
> >
> > Official not supported, but works now for more then a year here.
> > ( sernet samba 4.2.7 on debian wheezy )
> >
> > This is my addition to the smb.conf on the DC.
> > ## map id's outside to domain to tdb files.
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> > ## map ids from the domain and (*) the range may not overlap !
> > idmap config NTDOMAIN : backend = ad
> > idmap config NTDOMAIN : schema_mode = rfc2307
> > idmap config NTDOMAIN : range = 10000-3999999
> >
> > # Use home directory and shell information from AD
> > winbind nss info = rfc2307
> >
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind expand groups = 4
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller
> >> Verzonden: vrijdag 29 januari 2016 9:21
> >> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>
> >> You can try to do it with the unix tab in rsat on the master dc (as I
> did)
> >> . Both DCs have the same ids.
> >> On your memberservers this will be mapped by winbind(d)
> >> EX:
> >>
> >> [root at s4master ~]# id tester
> >> uid=90000(TPLK\tester) gid=100(users)
> >> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >> TPLK\HS3)
> >>
> >> [root at s4slave ~]# id tester
> >> uid=90000(TPLK\tester) gid=100(users)
> >> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >> TPLK\HS3)
> >>
> >> winbind(d) mapping the same ids on 2 memberservers:
> >> [root at centclust1 ~]# id tester
> >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>
> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
> >> 1643(terminalserver
> >> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
> >>
> >>
> >> [root at centclust2 ~]# id tester
> >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>
> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
> >> (schreiben),1643(terminalserver
> >> user),1620(direktionv),100001(BUILTIN\users)
> >>
> >>
> >> EDV Daniel Müller
> >>
> >> Leitung EDV
> >> Tropenklinik Paul-Lechler-Krankenhaus
> >> Paul-Lechler-Str. 24
> >> 72076 Tübingen
> >> Tel.: 07071/206-463, Fax: 07071/206-499
> >> eMail: mueller at tropenklinik.de
> >> Internet: www.tropenklinik.de
> >>
> >>
> >>
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> >> Gesendet: Freitag, 29. Januar 2016 00:43
> >> An: samba at lists.samba.org
> >> Betreff: [Samba] Validate Ids Multiple DC
> >>
> >> Hello!
> >> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
> >> Fileserver, until now all ok, but I'm one doubts, how to validate that
> in
> >> both servers the domain IDs of the users of this identical, a simple
> way
> >> to do this validation?
> >> I wanted to make sure it is a DC die fileserver has to go 100%.
> >> thank you
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
> Hi Louis, you keep saying adding the domain member lines to a DC works
> for you, so I thought it was time I tried them again.
>
> This is before adding the lines:
>
> root at testdc1:~# getent passwd rowland
> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
>
> Now add the lines to smb.conf:
>
> ## map id's outside to domain to tdb files.
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> ## map ids from the domain and (*) the range may not overlap !
> idmap config HOME : backend = ad
> idmap config HOME : schema_mode = rfc2307
> idmap config HOME : range = 10000-3999999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind expand groups = 4
>
> Ran 'net cache flush' and then 'service samba-ad-dc restart'
>
> Checked again:
>
> root at testdc1:~# getent passwd rowland
> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
>
> Absolutely no difference, this is with Samba 4.3.3
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list