[Samba] Samba 4 Member server show diferent UID than Ad Server

mathias dufresne infractory at gmail.com
Tue Jun 14 10:23:00 UTC 2016


Without UID and / or GID configured into AD database (into LDAP tree) Samba
would give UID / GID to users and groups when needed, and as nothing is
written, Samba has to guess. This guessing process is called id mapping.

Samba does not synchronize generated file containing this ID map. No
synchronization and xID random xID fathers to xID inconsistency.

This is not necessarily an issue: with only one DC (a config I can't
approve) no issue: Sysvol is hosted by only one DC, no inconsistency when
your are alone (that's when you met people that craziness appears :). File
servers do not host same files normally: AD DC are hosting Sysvol and
NetLogon and these both shares are not hosted on file servers which are
hosting others files. Different files so no issue with rights... as long as
you don't have to make copy or displace files from server to server, in
that case that could be a mess..

Solution seems to be:
- give UID/GID to everything in AD. Your users and those in CN=BUILTIN and
CN=Users too.
- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.
- use "net cache flush" to clear idmap cache on every server (members
included). Once cache is cleared, Winbind would need to find out what
UID/GID to use, it should now rely on UID:GID declared into AD database and
the issue should disappear.

2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>:

> So you need to configure winbindd the right way to solve this.
> In deed if you have another UID it can result in "access refused".
> This is an issue I treid to discuss since samba4 started and I think this
> should be an integrated thing in samba ads to member server
> Without having admins to bother about.
>
> Greetings
> Daniel
>
>
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com]
> Gesendet: Montag, 13. Juni 2016 17:32
> An: samba at lists.samba.org
> Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server
>
> Hello friends, I come to ask for a hand.
>
> I have an AD server with Samba 4.1 and added a Member Server 4.4 without
> problems.
>
> The only problem I'm having is that the UID of users in the Member Server
> are different from the AD server.
>
> Ad Server
>
> KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
> Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>
> Member Server
>
> florenciaelmone:*:100002:100008:Florencia Elmone
> Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>
> Some way to resolve this?
>
> Thanks.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list