[Samba] Validate Ids Multiple DC
Carlos A. P. Cunha
carlos.hollow at gmail.com
Fri Jan 29 15:26:43 UTC 2016
At first no, but I find it strange tere different ids...
Please if you can have your sm.conf would help.
Em 29-01-2016 13:10, L.P.H. van Belle escreveu:
> Hello Carlos.
>
> Fist please post to the list, this way everybody can help.
>
> The ids like : 3000036 are i think from a samba DC with RID setup.
> If you want to login also on the DC with for example SSH.
>
> Add also the template lines.
>
> Fix the idmap.
>
> net getdomainsid
> net idmap delete ranges YOURDOMAIN_SID
>
> restart the DC.
>
> And check again.
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
>> Verzonden: vrijdag 29 januari 2016 15:14
>> Aan: L.P.H. van Belle
>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>>
>> Hello!
>> Obrgado the answers.
>>
>> My smb.conf now this well in both DC, but is still giving different IDs:
>>
>>
>> smb.conf
>>
>> # Global parameters
>> [global]
>> workgroup = SERVERAD
>> realm = mydomain
>> netbios name = DC-LINUX1(e DC-LINUX2)
>> server role = active directory domain controller
>> passdb backend = samba_dsdb
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> vfs objects = dfs_samba4 acl_xattr
>> idmap_ldb:use rfc2307 = yes
>> kerberos method = system keytab
>> client ldap sasl wrapping = sign
>> allow dns updates = nonsecure and secure
>> nsupdate command = /usr/bin/nsupdate -g
>>
>> ## map id's outside to domain to tdb files.
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-9999
>> ### map ids from the domain and (*) the range may not overlap !
>> idmap config SERVERAD : backend = ad
>> idmap config SERVERAD : schema_mode = rfc2307
>> idmap config SERVERAD : range = 10000-3999999
>>
>> ## Use home directory and shell information from AD
>> winbind nss info = rfc2307
>>
>> winbind trusted domains only = no
>> winbind use default domain = yes
>> winbind expand groups = 4
>>
>> # Disable Cups
>> load printers = no
>> printing = bsd
>> printcap name = /dev/null
>> disable spoolss = yes
>>
>> DC-LINUX1
>>
>> id userproxy01
>> uid=3000370(SERVERAD\userproxy01) gid=100(users)
>> grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users)
>>
>> getent passwd userproxy01
>> SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01:
>> /bin/false
>>
>> DC-LINUX2
>>
>> id userproxy01
>> uid=3000036(SERVERAD\userproxy01) gid=100(users)
>> grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users)
>>
>> getent passwd userproxy01
>> SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01:
>> /bin/false
>>
>>
>> Thanks.
>>
>> Em 29-01-2016 10:07, L.P.H. van Belle escreveu:
>>> Hai Rowland.
>>>
>>> What you tried is ok, or im misunderstanding you.
>>>
>>> For me :
>>> All members give me.
>>> getent passwd myuser
>>> myuser:*:10002:10000::/home/users/myuser:/bin/bash
>>>
>>> id myuser
>>> uid=10002(myuser) gid=10000(domain users)
>>>
>>> the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17
>>>
>>> and on the DCs. ( only sernet samba 4.2.7 )
>>>
>>> getent passwd myuser
>>> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
>>>
>>> id myuser
>>> uid=10002(myuser) gid=10000(domain users)
>>>
>>> forgot to mention 1 restriction.
>>>
>>> In the DC's i also have
>>> template shell = /bin/bash
>>> template homedir = /home/users/%U
>>>
>>> The restriction is that you must use above shell and homedirs for all
>> you users and must be the same in the AD unix tab.
>>> The GECOS is different, but who uses that..
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
>>>> Verzonden: vrijdag 29 januari 2016 12:42
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>>>>
>>>> On 29/01/16 08:59, L.P.H. van Belle wrote:
>>>>> If you add the "not" supported winbind options from the member also to
>>>> the DCs, then you will have the same resulting uid on all servers.
>>>>> Official not supported, but works now for more then a year here.
>>>>> ( sernet samba 4.2.7 on debian wheezy )
>>>>>
>>>>> This is my addition to the smb.conf on the DC.
>>>>> ## map id's outside to domain to tdb files.
>>>>> idmap config * : backend = tdb
>>>>> idmap config * : range = 2000-9999
>>>>> ## map ids from the domain and (*) the range may not overlap
>> !
>>>>> idmap config NTDOMAIN : backend = ad
>>>>> idmap config NTDOMAIN : schema_mode = rfc2307
>>>>> idmap config NTDOMAIN : range = 10000-3999999
>>>>>
>>>>> # Use home directory and shell information from AD
>>>>> winbind nss info = rfc2307
>>>>>
>>>>> winbind trusted domains only = no
>>>>> winbind use default domain = yes
>>>>> winbind expand groups = 4
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller
>>>>>> Verzonden: vrijdag 29 januari 2016 9:21
>>>>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>>>>>>
>>>>>> You can try to do it with the unix tab in rsat on the master dc (as I
>>>> did)
>>>>>> . Both DCs have the same ids.
>>>>>> On your memberservers this will be mapped by winbind(d)
>>>>>> EX:
>>>>>>
>>>>>> [root at s4master ~]# id tester
>>>>>> uid=90000(TPLK\tester) gid=100(users)
>>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer
>>>>>>
>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
>>>>>> TPLK\HS3)
>>>>>>
>>>>>> [root at s4slave ~]# id tester
>>>>>> uid=90000(TPLK\tester) gid=100(users)
>>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer
>>>>>>
>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
>>>>>> TPLK\HS3)
>>>>>>
>>>>>> winbind(d) mapping the same ids on 2 memberservers:
>>>>>> [root at centclust1 ~]# id tester
>>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
>>>>>>
>> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
>>>>>> 1643(terminalserver
>>>>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
>>>>>>
>>>>>>
>>>>>> [root at centclust2 ~]# id tester
>>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
>>>>>>
>> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
>>>>>> (schreiben),1643(terminalserver
>>>>>> user),1620(direktionv),100001(BUILTIN\users)
>>>>>>
>>>>>>
>>>>>> EDV Daniel Müller
>>>>>>
>>>>>> Leitung EDV
>>>>>> Tropenklinik Paul-Lechler-Krankenhaus
>>>>>> Paul-Lechler-Str. 24
>>>>>> 72076 Tübingen
>>>>>> Tel.: 07071/206-463, Fax: 07071/206-499
>>>>>> eMail: mueller at tropenklinik.de
>>>>>> Internet: www.tropenklinik.de
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----Ursprüngliche Nachricht-----
>>>>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
>>>>>> Gesendet: Freitag, 29. Januar 2016 00:43
>>>>>> An: samba at lists.samba.org
>>>>>> Betreff: [Samba] Validate Ids Multiple DC
>>>>>>
>>>>>> Hello!
>>>>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
>>>>>> Fileserver, until now all ok, but I'm one doubts, how to validate
>> that
>>>> in
>>>>>> both servers the domain IDs of the users of this identical, a simple
>>>> way
>>>>>> to do this validation?
>>>>>> I wanted to make sure it is a DC die fileserver has to go 100%.
>>>>>> thank you
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>>> --
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>> Hi Louis, you keep saying adding the domain member lines to a DC works
>>>> for you, so I thought it was time I tried them again.
>>>>
>>>> This is before adding the lines:
>>>>
>>>> root at testdc1:~# getent passwd rowland
>>>> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
>>>>
>>>> Now add the lines to smb.conf:
>>>>
>>>> ## map id's outside to domain to tdb files.
>>>> idmap config * : backend = tdb
>>>> idmap config * : range = 2000-9999
>>>> ## map ids from the domain and (*) the range may not overlap
>> !
>>>> idmap config HOME : backend = ad
>>>> idmap config HOME : schema_mode = rfc2307
>>>> idmap config HOME : range = 10000-3999999
>>>>
>>>> # Use home directory and shell information from AD
>>>> winbind nss info = rfc2307
>>>>
>>>> winbind trusted domains only = no
>>>> winbind use default domain = yes
>>>> winbind expand groups = 4
>>>>
>>>> Ran 'net cache flush' and then 'service samba-ad-dc restart'
>>>>
>>>> Checked again:
>>>>
>>>> root at testdc1:~# getent passwd rowland
>>>> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
>>>>
>>>> Absolutely no difference, this is with Samba 4.3.3
>>>>
>>>> Rowland
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>
More information about the samba
mailing list