[Samba] Validate Ids Multiple DC
L.P.H. van Belle
belle at bazuin.nl
Fri Jan 29 15:52:30 UTC 2016
Here you go.
My setup.
DC's Debian Wheezy, Sernet Samba 4.2.7.
Members: all Debian Jessie:
Print server : sernet samba 4.2.7
Proxy server : Debian Samba 4.1.17
File servers : Debian samba 4.1.17
DC Sample.
cat /etc/samba/smb.conf
# Global parameters
[global]
workgroup = NTDOMAIN
realm = INTERNAL.DOMAIN.TLD
netbios name = DC1
server role = active directory domain controller
server services = -dns
idmap_ldb:use rfc2307 = yes
## Dont forget to set the idmap_ldb on ALL DC's if you use it
interfaces = 127.0.0.1 192.168.0.1
bind interfaces only = yes
time server = yes
wins support = yes
## KEEP THIS OFF !! Only used for modify-ing the AD Schema
## ONLY DONE ONES ON THE DC WITH THE FSMO Roles
sdb:schema update allowed = no
## NEEDED FOR ZARAFA SCHEMA UPDATES
## map id's outside to domain to tdb files.
idmap config * : backend = tdb
idmap config * : range = 2000-9999
## map ids from the domain and (*) the range may not overlap !
idmap config NTDOMAIN : backend = ad
idmap config NTDOMAIN : schema_mode = rfc2307
idmap config NTDOMAIN : range = 10000-3999999
# Use home directory and shell information from AD
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind expand groups = 4
template shell = /bin/bash
template homedir = /home/users/%U
# disable printing completely, no cups errors anymore in your logs.
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
## acl_xattr:ignore system acls = yes,
## is used for all "windows ONLY" shares. OR any kerberos authenticated .
[sysvol]
path = /home/samba/sysvol
read only = No
acl_xattr:ignore system acls = yes
[netlogon]
path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts
read only = No
acl_xattr:ignore system acls = yes
My MOST important member server smb.conf
FILE SERVER Sample.
[global]
workgroup = NTDOMAIN
security = ADS
realm = INTERNAL.DOMAIN.TLD
netbios name = MEMBER1
# set master browser for the network.
# preffered + domain master = guarantee master browser ( man smb.conf )
preferred master = yes
domain master = yes
host msdfs = no
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
client signing = if_required
## map id's outside to domain to tdb files.
idmap config *:backend = tdb
idmap config *:range = 2000-9999
## map ids from the domain the range may not overlap !
idmap config NTDOMAIN: backend = ad
idmap config NTDOMAIN: schema_mode = rfc2307
idmap config NTDOMAIN: range = 10000-3999999
winbind nss info = rfc2307
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = yes
winbind expand groups = 4
wins server = 192.168.0.1, 192.168.0.2
# disable printing completely
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# disable usershares creating, again defined because i dont use it and
# this way you dont have log messages about usershares.
usershare path =
##### only here so we remember how to setup this MUST be the same in the
##### AD and must also exist in the DC's IF you want the login ability
##### with AD users.
# template shell = /bin/bash
# template homedir = /home/users/%ACCOUNTNAME%
# user Administrator workaround, without it you are unable to set
# privileges, and you get connect errors to shares as administrator.
username map = /etc/samba/samba_usermapping
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Share Setting Globally
veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
hide unreadable = yes
[profiles]
browseable = yes
path = /home/samba/profiles
read only = no
acl_xattr:ignore system acl = yes
[users]
browseable = yes
path = /home/samba/users
read only = no
acl_xattr:ignore system acl = yes
[public]
# use for package distrubution GPO things etc.
browseable = yes
path = /home/samba/public
read only = no
---------------------
Proxy server sample, well see the FILE server sample, without shares.
Print server sample see File server sample, remove these shares and add :
## Enabling spoolssd
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
spoolssd:prefork_min_children = 5 # Minimum number of child processes
spoolssd:prefork_max_children = 25 # Maximum number of child processes
spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs if one connection comes in (up to prefork_max_children)
spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child process should be responsible for
spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a child process (60 seconds
# is the minimum, even a lower value has been configured)
## Cups auth problems : adduser USERNAME lpadmin
[printers]
comment = All Printers
path = /home/samba/printing/spool
browseable = no
printable = yes
printing = CUPS
acl_xattr:ignore system acl = yes
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
# path = /var/lib/samba/printers
path = /home/samba/printing/drivers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
write list = root, @"Domain Admins"
acl_xattr:ignore system acl = yes
I?m out of the office in 10 min, so question, ask in the list.
Monday im back here
Greetz and have a nice weekend everybody..
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P.
> Cunha
> Verzonden: vrijdag 29 januari 2016 16:27
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>
> At first no, but I find it strange tere different ids...
>
> Please if you can have your sm.conf would help.
>
> Em 29-01-2016 13:10, L.P.H. van Belle escreveu:
> > Hello Carlos.
> >
> > Fist please post to the list, this way everybody can help.
> >
> > The ids like : 3000036 are i think from a samba DC with RID setup.
> > If you want to login also on the DC with for example SSH.
> >
> > Add also the template lines.
> >
> > Fix the idmap.
> >
> > net getdomainsid
> > net idmap delete ranges YOURDOMAIN_SID
> >
> > restart the DC.
> >
> > And check again.
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> >> Verzonden: vrijdag 29 januari 2016 15:14
> >> Aan: L.P.H. van Belle
> >> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>
> >> Hello!
> >> Obrgado the answers.
> >>
> >> My smb.conf now this well in both DC, but is still giving different
> IDs:
> >>
> >>
> >> smb.conf
> >>
> >> # Global parameters
> >> [global]
> >> workgroup = SERVERAD
> >> realm = mydomain
> >> netbios name = DC-LINUX1(e DC-LINUX2)
> >> server role = active directory domain controller
> >> passdb backend = samba_dsdb
> >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> >> drepl, winbindd, ntp_signd, kcc, dnsupdate
> >>
> >> map archive = No
> >> map readonly = no
> >> store dos attributes = Yes
> >> vfs objects = dfs_samba4 acl_xattr
> >> idmap_ldb:use rfc2307 = yes
> >> kerberos method = system keytab
> >> client ldap sasl wrapping = sign
> >> allow dns updates = nonsecure and secure
> >> nsupdate command = /usr/bin/nsupdate -g
> >>
> >> ## map id's outside to domain to tdb files.
> >> idmap config * : backend = tdb
> >> idmap config * : range = 2000-9999
> >> ### map ids from the domain and (*) the range may not overlap
> !
> >> idmap config SERVERAD : backend = ad
> >> idmap config SERVERAD : schema_mode = rfc2307
> >> idmap config SERVERAD : range = 10000-3999999
> >>
> >> ## Use home directory and shell information from AD
> >> winbind nss info = rfc2307
> >>
> >> winbind trusted domains only = no
> >> winbind use default domain = yes
> >> winbind expand groups = 4
> >>
> >> # Disable Cups
> >> load printers = no
> >> printing = bsd
> >> printcap name = /dev/null
> >> disable spoolss = yes
> >>
> >> DC-LINUX1
> >>
> >> id userproxy01
> >> uid=3000370(SERVERAD\userproxy01) gid=100(users)
> >> grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users)
> >>
> >> getent passwd userproxy01
> >>
> SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01:
> >> /bin/false
> >>
> >> DC-LINUX2
> >>
> >> id userproxy01
> >> uid=3000036(SERVERAD\userproxy01) gid=100(users)
> >> grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users)
> >>
> >> getent passwd userproxy01
> >>
> SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01:
> >> /bin/false
> >>
> >>
> >> Thanks.
> >>
> >> Em 29-01-2016 10:07, L.P.H. van Belle escreveu:
> >>> Hai Rowland.
> >>>
> >>> What you tried is ok, or im misunderstanding you.
> >>>
> >>> For me :
> >>> All members give me.
> >>> getent passwd myuser
> >>> myuser:*:10002:10000::/home/users/myuser:/bin/bash
> >>>
> >>> id myuser
> >>> uid=10002(myuser) gid=10000(domain users)
> >>>
> >>> the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17
> >>>
> >>> and on the DCs. ( only sernet samba 4.2.7 )
> >>>
> >>> getent passwd myuser
> >>> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
> >>>
> >>> id myuser
> >>> uid=10002(myuser) gid=10000(domain users)
> >>>
> >>> forgot to mention 1 restriction.
> >>>
> >>> In the DC's i also have
> >>> template shell = /bin/bash
> >>> template homedir = /home/users/%U
> >>>
> >>> The restriction is that you must use above shell and homedirs for all
> >> you users and must be the same in the AD unix tab.
> >>> The GECOS is different, but who uses that..
> >>>
> >>>
> >>> Greetz,
> >>>
> >>> Louis
> >>>
> >>>
> >>>> -----Oorspronkelijk bericht-----
> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland
> penny
> >>>> Verzonden: vrijdag 29 januari 2016 12:42
> >>>> Aan: samba at lists.samba.org
> >>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>>>
> >>>> On 29/01/16 08:59, L.P.H. van Belle wrote:
> >>>>> If you add the "not" supported winbind options from the member also
> to
> >>>> the DCs, then you will have the same resulting uid on all servers.
> >>>>> Official not supported, but works now for more then a year here.
> >>>>> ( sernet samba 4.2.7 on debian wheezy )
> >>>>>
> >>>>> This is my addition to the smb.conf on the DC.
> >>>>> ## map id's outside to domain to tdb files.
> >>>>> idmap config * : backend = tdb
> >>>>> idmap config * : range = 2000-9999
> >>>>> ## map ids from the domain and (*) the range may not
> overlap
> >> !
> >>>>> idmap config NTDOMAIN : backend = ad
> >>>>> idmap config NTDOMAIN : schema_mode = rfc2307
> >>>>> idmap config NTDOMAIN : range = 10000-3999999
> >>>>>
> >>>>> # Use home directory and shell information from AD
> >>>>> winbind nss info = rfc2307
> >>>>>
> >>>>> winbind trusted domains only = no
> >>>>> winbind use default domain = yes
> >>>>> winbind expand groups = 4
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller
> >>>>>> Verzonden: vrijdag 29 januari 2016 9:21
> >>>>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>>>>>
> >>>>>> You can try to do it with the unix tab in rsat on the master dc (as
> I
> >>>> did)
> >>>>>> . Both DCs have the same ids.
> >>>>>> On your memberservers this will be mapped by winbind(d)
> >>>>>> EX:
> >>>>>>
> >>>>>> [root at s4master ~]# id tester
> >>>>>> uid=90000(TPLK\tester) gid=100(users)
> >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>>>>>
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >>>>>> TPLK\HS3)
> >>>>>>
> >>>>>> [root at s4slave ~]# id tester
> >>>>>> uid=90000(TPLK\tester) gid=100(users)
> >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>>>>>
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >>>>>> TPLK\HS3)
> >>>>>>
> >>>>>> winbind(d) mapping the same ids on 2 memberservers:
> >>>>>> [root at centclust1 ~]# id tester
> >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>>>>>
> >>
> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
> >>>>>> 1643(terminalserver
> >>>>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
> >>>>>>
> >>>>>>
> >>>>>> [root at centclust2 ~]# id tester
> >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>>>>>
> >>
> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
> >>>>>> (schreiben),1643(terminalserver
> >>>>>> user),1620(direktionv),100001(BUILTIN\users)
> >>>>>>
> >>>>>>
> >>>>>> EDV Daniel Müller
> >>>>>>
> >>>>>> Leitung EDV
> >>>>>> Tropenklinik Paul-Lechler-Krankenhaus
> >>>>>> Paul-Lechler-Str. 24
> >>>>>> 72076 Tübingen
> >>>>>> Tel.: 07071/206-463, Fax: 07071/206-499
> >>>>>> eMail: mueller at tropenklinik.de
> >>>>>> Internet: www.tropenklinik.de
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> -----Ursprüngliche Nachricht-----
> >>>>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> >>>>>> Gesendet: Freitag, 29. Januar 2016 00:43
> >>>>>> An: samba at lists.samba.org
> >>>>>> Betreff: [Samba] Validate Ids Multiple DC
> >>>>>>
> >>>>>> Hello!
> >>>>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
> >>>>>> Fileserver, until now all ok, but I'm one doubts, how to validate
> >> that
> >>>> in
> >>>>>> both servers the domain IDs of the users of this identical, a
> simple
> >>>> way
> >>>>>> to do this validation?
> >>>>>> I wanted to make sure it is a DC die fileserver has to go 100%.
> >>>>>> thank you
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>> Hi Louis, you keep saying adding the domain member lines to a DC
> works
> >>>> for you, so I thought it was time I tried them again.
> >>>>
> >>>> This is before adding the lines:
> >>>>
> >>>> root at testdc1:~# getent passwd rowland
> >>>> HOME\rowland:*:10000:10000:Rowland
> Penny:/home/HOME/rowland:/bin/false
> >>>>
> >>>> Now add the lines to smb.conf:
> >>>>
> >>>> ## map id's outside to domain to tdb files.
> >>>> idmap config * : backend = tdb
> >>>> idmap config * : range = 2000-9999
> >>>> ## map ids from the domain and (*) the range may not
> overlap
> >> !
> >>>> idmap config HOME : backend = ad
> >>>> idmap config HOME : schema_mode = rfc2307
> >>>> idmap config HOME : range = 10000-3999999
> >>>>
> >>>> # Use home directory and shell information from AD
> >>>> winbind nss info = rfc2307
> >>>>
> >>>> winbind trusted domains only = no
> >>>> winbind use default domain = yes
> >>>> winbind expand groups = 4
> >>>>
> >>>> Ran 'net cache flush' and then 'service samba-ad-dc restart'
> >>>>
> >>>> Checked again:
> >>>>
> >>>> root at testdc1:~# getent passwd rowland
> >>>> HOME\rowland:*:10000:10000:Rowland
> Penny:/home/HOME/rowland:/bin/false
> >>>>
> >>>> Absolutely no difference, this is with Samba 4.3.3
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list