[Samba] Validate Ids Multiple DC

Rowland penny rpenny at samba.org
Fri Jan 29 16:01:12 UTC 2016 

On 29/01/16 15:42, Carlos A. P. Cunha wrote:
> Hello!
> No, the first DC was a migration of a Win Server 2003, and the second 
> DC Samba only.
>
> Yes, but already I posted the smb new post.
>
> smb.conf
>
> # Global parameters
> [global]
> workgroup = SERVERAD
> realm = mydomain
> netbios name = DC-LINUX1 (and DC-LINUX2)
> server role = active directory domain controller
> passdb backend = samba_dsdb
> server services = s3fs, rpc, nbt, wrepl, ldap, CLDAP, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
>
> map archive = No
> map readonly = no
> store the attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
> idmap_ldb: use RFC2307 = yes
> kerberos method = system keytab
> client ldap sasl wrapping = sign
> allow DNS updates = nonsecure and secure
> nsupdate command = / usr / bin / nsupdate -g
>
> ## Map id's to outside domain to tdb files.
> idmap config *: backend = tdb
> idmap config *: range = 2000-9999
> ### Map IDs from the domain and (*) the range may not overlap!
> idmap config SERVERAD: backend = ad
> idmap config SERVERAD: schema_mode = RFC2307
> idmap config SERVERAD: range = 10000-3999999
>
> ## Use home directory and shell information from AD
> winbind nss info = RFC2307
>
> winbind trusted domains only = on
> winbind use default domain = yes
> winbind expand groups = 4
>
> # Disable Cups
> load printers = no
> printing = bsd
> printcap name = / dev / null
> spoolss disable = yes
>
> DC-LINUX1
>
> id userproxy01
> uid = 3000370 (SERVERAD \ userproxy01) gid = 100 (users) groups = 100 
> (users), 3000370 (SERVERAD \ userproxy01), 3,000,001 (BUILTIN \ users)
>
> getent passwd userproxy01
> SERVERAD \ userproxy01: *: 3000370: 100: userproxy01: / home / 
> SERVERAD / userproxy01: / bin / false
>
> DC-LINUX2
>
> id userproxy01
> uid = 3000036 (SERVERAD \ userproxy01) gid = 100 (users) groups = 100 
> (users), 3000036 (SERVERAD \ userproxy01), 3,000,001 (BUILTIN \ users)
>
> getent passwd userproxy01
> SERVERAD \ userproxy01: *: 3000036: 100: userproxy01: / home / 
> SERVERAD / userproxy01: / bin / false
>
> Em 29-01-2016 13:34, Rowland penny escreveu:
>> On 29/01/16 15:26, Carlos A. P. Cunha wrote:
>>> At first no, but I find it strange tere different ids...
>>
>>
>> Can you post your smb.conf.
>>
>> Have you given any of your users & groups a uidNumber or gidNumber ?
>> How many DCs have you ?
>>
>> Rowland
>>
>>>
>>> Please if you can have your sm.conf would help.
>>>
>>
>>
>
>

OK, I see your problem:

id userproxy01

on DC-LINUX1: 3000370
on DC-LINUX2: 3000036

This is a known problem is caused by the fact that idmap.ldb is not 
synced between the DCs

There are two ways to fix this:

Give all of your users a unique uidNumber attribute and Domain Users a 
gidNumber attribute

copy idmap.ldb from the first DC to the second DC

Either way will mean updating who owns the users files on the DC, but 
you need to keep idmap.ldb in sync in future if you go in that direction.

Rowland

More information about the samba mailing list