[Samba] Samba 4 Member server show diferent UID than Ad Server

mathias dufresne infractory at gmail.com
Tue Jun 14 15:09:02 UTC 2016


2016-06-14 16:52 GMT+02:00 Juan Ignacio <juan.ignacio.pazos at gmail.com>:

> I like the idea.
>
> - synchronize private/idmap.ldb across your DC at least (they all host
> Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
> servers seem to not have that file.
>
> But in my Domain Controler I do not find this file.
>

I expect you meant "domain member" rather tha "domain controller". Domain
member don't have that file.


>
> I found the file in the AD DC.
>

Yep it exists on AD DC.


>
> There any way to avoid adding UID users, or impossible without doing this.
> They are as 300 users.
>

As I explained below (previous mail) the fact UID/GID are not the same
between DC and file servers is not necessarily an issue: these UID/GID are
used by Samba to translate Windows identity to UNIX identity (Windows users
from Windows clients accessing Windows shares hosted by Samba, on Linux
system and so hosted by Linux file system, rights on Linux FS are done
using UID/GID).

Now if you are a bit lost with all these rights management or if you want
limit risk in future (more DC, using DFS or whatever) the simpler is to set
up UID and GID to every users and every groups.

You will have to set up GID on groups first, then UID (and GID) on users if
you do that manually using ADUC (at least it was the case I believe when I
tested).

To avoid doing that manually: script it! Chaining ldbsearch to list groups
then to list users, awk to read the result of ldbsearch and to write
resultant LDIF file.

Then you run one command: ldbmodify -H $sam
/path/to/your/newly/created/file/ldif
This command should modify all users and groups as defined into LDIF file,
adding uidNumber and/or gidNumber to groups and users if the script is
correct enough.

Have fun ;)


>
> Analista Inf.
> Juan Ignacio Pazos
> <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
>
> 2016-06-14 7:23 GMT-03:00 mathias dufresne <infractory at gmail.com>:
>
>> Without UID and / or GID configured into AD database (into LDAP tree)
>> Samba
>> would give UID / GID to users and groups when needed, and as nothing is
>> written, Samba has to guess. This guessing process is called id mapping.
>>
>> Samba does not synchronize generated file containing this ID map. No
>> synchronization and xID random xID fathers to xID inconsistency.
>>
>> This is not necessarily an issue: with only one DC (a config I can't
>> approve) no issue: Sysvol is hosted by only one DC, no inconsistency when
>> your are alone (that's when you met people that craziness appears :). File
>> servers do not host same files normally: AD DC are hosting Sysvol and
>> NetLogon and these both shares are not hosted on file servers which are
>> hosting others files. Different files so no issue with rights... as long
>> as
>> you don't have to make copy or displace files from server to server, in
>> that case that could be a mess..
>>
>> Solution seems to be:
>> - give UID/GID to everything in AD. Your users and those in CN=BUILTIN and
>> CN=Users too.
>> - synchronize private/idmap.ldb across your DC at least (they all host
>> Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
>> servers seem to not have that file.
>> - use "net cache flush" to clear idmap cache on every server (members
>> included). Once cache is cleared, Winbind would need to find out what
>> UID/GID to use, it should now rely on UID:GID declared into AD database
>> and
>> the issue should disappear.
>>
>> 2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>:
>>
>> > So you need to configure winbindd the right way to solve this.
>> > In deed if you have another UID it can result in "access refused".
>> > This is an issue I treid to discuss since samba4 started and I think
>> this
>> > should be an integrated thing in samba ads to member server
>> > Without having admins to bother about.
>> >
>> > Greetings
>> > Daniel
>> >
>> >
>> > EDV Daniel Müller
>> >
>> > Leitung EDV
>> > Tropenklinik Paul-Lechler-Krankenhaus
>> > Paul-Lechler-Str. 24
>> > 72076 Tübingen
>> > Tel.: 07071/206-463, Fax: 07071/206-499
>> > eMail: mueller at tropenklinik.de
>> > Internet: www.tropenklinik.de
>> >
>> >
>> >
>> >
>> > -----Ursprüngliche Nachricht-----
>> > Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com]
>> > Gesendet: Montag, 13. Juni 2016 17:32
>> > An: samba at lists.samba.org
>> > Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server
>> >
>> > Hello friends, I come to ask for a hand.
>> >
>> > I have an AD server with Samba 4.1 and added a Member Server 4.4 without
>> > problems.
>> >
>> > The only problem I'm having is that the UID of users in the Member
>> Server
>> > are different from the AD server.
>> >
>> > Ad Server
>> >
>> > KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
>> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>> >
>> > Member Server
>> >
>> > florenciaelmone:*:100002:100008:Florencia Elmone
>> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false
>> >
>> > Some way to resolve this?
>> >
>> > Thanks.
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>


More information about the samba mailing list