[Samba] Samba4 Domain Member Server "Getent show diferents UID"

Juan Ignacio juan.ignacio.pazos at gmail.com
Tue Jun 14 14:36:16 UTC 2016 

I go to answer all, here I go.

Have you given your users a uidNumber attribute ?

Not all, but im set it in my user and not work.

Have you given 'Domain Users' (at least) a gidNumber attribute ?

Not all, but im set it in my user and not work.

If you have done the above, have you run 'net cache flush' on the DC ?

Yes  :-(

Is PAM set up correctly on the DC and domain member ?
Yes.

The smb.conf on the DC.

[global]
       netbios name = XXXXXX
       security = ADS
       workgroup = XXXXXXX
       realm = XXXXXXX

       log file = /var/log/samba/%m.log
       log level = 1

       # idmap config used for your domain.
       # Click on the following links for more information
       # on the available winbind idmap backends,
       # Choose the one that fits your requirements
       # then add the corresponding configuration.

       # Just adding the following three lines is not enough!!
       #  - idmap config ad
       #  - idmap config rid
       #  - idmap_config_autorid

        idmap config * : backend = tdb
        idmap config * : range = 100000-299999
        idmap config TEST : backend = rid
        idmap config TEST : range = 10000-99999
        winbind separator = +
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind refresh tickets = yes


[test]
        read only = no
        path = /testSamba
~

The smb.conf in the AD DC.

 Global parameters
[global]
        workgroup = XXXXX
        realm = XXXXXXXX
        netbios name = XXXXXXX
        server role = active directory domain controller
        dns forwarder = xxx.xx.xxx.xxx
        allow dns updates = nonsecure and secure
        #server services = rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate, dns, smb
        dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6,
backupkey, dnsserver, winreg, srvsvc
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl,winbind, ntp_signd, kcc, dnsupdate, dns
        idmap_ldb:use rfc2307 = yes
        #winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        #winbind nested groups = yes
        log level = 3
        log file = /var/log/samba/samba.log
#       unix charset = ISO8859-1

#[netlogon antes]
#path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts
#read only = No




Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

2016-06-13 16:22 GMT-03:00 Rowland penny <rpenny at samba.org>:

> On 13/06/16 20:14, Rowland penny wrote:
>
>> On 13/06/16 19:37, Juan Ignacio wrote:
>>
>>> Rowland:
>>>
>>> I'll use this email from now, the other does not work well.
>>>
>>> A few years ago around 2.
>>>
>>> We did everything that could be used for NIX and it worked.
>>> The main DC_AD had been provisioned without rfc2307 and we did later.
>>>
>>> The problem is that at that time by not having infrastructure had to be
>>> used as fileserver and this was a problem because all directories are UID
>>> of 3000000 onwards.
>>>
>>> Now I installed a new server following the procedure here:
>>>
>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>
>>> All seems to work well but UIDs are different when for example I run
>>> wbinfo --user-info = uanaco
>>>
>>> Primary AD-DC
>>> ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home / ADDC1 / uanaco: / bin
>>> / false
>>>
>>> member Server
>>> uanaco: *: 100642: 100008: uanaco: / home / ADDC1 / uanaco: / bin / false
>>>
>>> This is a problem because my intention is to use this file server and
>>> testify pass all directories Primary AD-DC to Member Server.
>>>
>>> Is there any way the member server read the same UID as the primary-
>>>
>>> Thank Rowland.
>>>
>>
>> Yes, but what does 'getent passwd ADDC1\uanaco' on the DC show ???
>> if it shows '3000783' as the users UID, then, unless you have set the
>> users uidNumber attribute to 3000783, you are not using RFC2307 attributes.
>> This is further backed up by the fact that the same user may get '100642'
>> as its UID on the domain member.
>>
>> Few questions:
>> Have you given your users a uidNumber attribute ?
>> Have you given 'Domain Users' (at least) a gidNumber attribute ?
>> If you have done the above, have you run 'net cache flush' on the DC ?
>> Is PAM set up correctly on the DC and domain member ?
>>
>> Rowland
>>
>>
> Also can you post (as I asked) the smb.conf from the domain member.
>
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list