[Samba] Samba4 Domain Member Server "Getent show diferents UID"
Juan Ignacio
juan.ignacio.pazos at gmail.com
Tue Jun 14 16:32:53 UTC 2016
Rowland, a question.
"is to copy idmap.ldap from the first DC to all others and then keep them
in sync, the other is to use RFC2307 attributes."
I can do the same with my member server? Maybe it works, or not for beign a
member server.
Maybe i can change my Member Server to a Domain Controller and after use
idmap, sync.
Its ok?
Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
2016-06-14 12:40 GMT-03:00 Rowland penny <rpenny at samba.org>:
> On 14/06/16 16:16, Juan Ignacio wrote:
>
>> Sorry, this is the Domain Member smb.con
>> Im using Debian last version.
>> Samba compiled from the sources.
>>
>> [global]
>> netbios name = XXXXX
>> security = ADS
>> workgroup = XXXXXX
>> realm = XXXXXXX
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> # idmap config used for your domain.
>> # Click on the following links for more information
>> # on the available winbind idmap backends,
>> # Choose the one that fits your requirements
>> # then add the corresponding configuration.
>>
>> # Just adding the following three lines is not enough!!
>> # - idmap config ad
>> # - idmap config rid
>> # - idmap_config_autorid
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 100000-299999
>> idmap config XXXXXX : schema_mode = rfc2307
>> idmap config XXXXXX : backend = rid
>> idmap config XXXXXX : range = 10000-99999
>> winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>>
>>
>> [test]
>> read only = no
>> path = /testSamba
>>
>>
>> Analista Inf.
>> Juan Ignacio Pazos <
>> http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
>>
>> 2016-06-14 12:07 GMT-03:00 Rowland penny <rpenny at samba.org <mailto:
>> rpenny at samba.org>>:
>>
>>
>> On 14/06/16 15:36, Juan Ignacio wrote:
>>
>> I go to answer all, here I go.
>>
>> Have you given your users a uidNumber attribute ?
>>
>> Not all, but im set it in my user and not work.
>>
>> Have you given 'Domain Users' (at least) a gidNumber attribute ?
>>
>> Not all, but im set it in my user and not work.
>>
>> If you have done the above, have you run 'net cache flush' on
>> the DC ?
>>
>> Yes :-(
>>
>> Is PAM set up correctly on the DC and domain member ?
>> Yes.
>>
>> The smb.conf on the DC.
>>
>> [global]
>> netbios name = XXXXXX
>> security = ADS
>> workgroup = XXXXXXX
>> realm = XXXXXXX
>>
>> log file = /var/log/samba/%m.log
>> log level = 1
>>
>> # idmap config used for your domain.
>> # Click on the following links for more information
>> # on the available winbind idmap backends,
>> # Choose the one that fits your requirements
>> # then add the corresponding configuration.
>>
>> # Just adding the following three lines is not enough!!
>> # - idmap config ad
>> # - idmap config rid
>> # - idmap_config_autorid
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 100000-299999
>> idmap config TEST : backend = rid
>> idmap config TEST : range = 10000-99999
>> winbind separator = +
>> winbind enum users = yes
>> winbind enum groups = yes
>> winbind use default domain = yes
>> winbind refresh tickets = yes
>>
>>
>> [test]
>> read only = no
>> path = /testSamba
>> ~
>>
>> The smb.conf in the AD DC.
>>
>> Global parameters
>> [global]
>> workgroup = XXXXX
>> realm = XXXXXXXX
>> netbios name = XXXXXXX
>> server role = active directory domain controller
>> dns forwarder = xxx.xx.xxx.xxx
>> allow dns updates = nonsecure and secure
>> #server services = rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbind, ntp_signd, kcc, dnsupdate, dns, smb
>> dcerpc endpoint servers = epmapper, wkssvc, rpcecho,
>> samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo,
>> browser, eventlog6, backupkey, dnsserver, winreg, srvsvc
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl,winbind, ntp_signd, kcc, dnsupdate, dns
>> idmap_ldb:use rfc2307 = yes
>> #winbind use default domain = yes
>> winbind enum users = yes
>> winbind enum groups = yes
>> #winbind nested groups = yes
>> log level = 3
>> log file = /var/log/samba/samba.log
>> # unix charset = ISO8859-1
>>
>> #[netlogon antes]
>> #path = /usr/local/samba/var/locks/sysvol/xxxxxx/scripts
>> #read only = No
>>
>>
>>
>>
>> Analista Inf.
>> Juan Ignacio Pazos
>> <
>> http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>
>>
>> 2016-06-13 16:22 GMT-03:00 Rowland penny <rpenny at samba.org
>> <mailto:rpenny at samba.org> <mailto:rpenny at samba.org
>>
>> <mailto:rpenny at samba.org>>>:
>>
>>
>> On 13/06/16 20:14, Rowland penny wrote:
>>
>> On 13/06/16 19:37, Juan Ignacio wrote:
>>
>> Rowland:
>>
>> I'll use this email from now, the other does not
>> work well.
>>
>> A few years ago around 2.
>>
>> We did everything that could be used for NIX and
>> it worked.
>> The main DC_AD had been provisioned without
>> rfc2307 and we
>> did later.
>>
>> The problem is that at that time by not having
>> infrastructure had to be used as fileserver and
>> this was a
>> problem because all directories are UID of 3000000
>> onwards.
>>
>> Now I installed a new server following the
>> procedure here:
>>
>>
>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>
>> All seems to work well but UIDs are different when for
>> example I run
>> wbinfo --user-info = uanaco
>>
>> Primary AD-DC
>> ADDC1 \ uanaco: *: 3000783: 100: uanaco: / home /
>> ADDC1 /
>> uanaco: / bin / false
>>
>> member Server
>> uanaco: *: 100642: 100008: uanaco: / home / ADDC1 /
>> uanaco: / bin / false
>>
>> This is a problem because my intention is to use
>> this file
>> server and testify pass all directories Primary
>> AD-DC to
>> Member Server.
>>
>> Is there any way the member server read the same
>> UID as
>> the primary-
>>
>> Thank Rowland.
>>
>>
>> Yes, but what does 'getent passwd ADDC1\uanaco' on the
>> DC show ???
>> if it shows '3000783' as the users UID, then, unless
>> you have
>> set the users uidNumber attribute to 3000783, you are not
>> using RFC2307 attributes. This is further backed up by the
>> fact that the same user may get '100642' as its UID on the
>> domain member.
>>
>> Few questions:
>> Have you given your users a uidNumber attribute ?
>> Have you given 'Domain Users' (at least) a gidNumber
>> attribute ?
>> If you have done the above, have you run 'net cache
>> flush' on
>> the DC ?
>> Is PAM set up correctly on the DC and domain member ?
>>
>> Rowland
>>
>>
>> Also can you post (as I asked) the smb.conf from the
>> domain member.
>>
>>
>> Rowland
>>
>>
>> -- To unsubscribe from this list go to the following
>> URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>> For the third time, will you please post the smb.conf from your
>> domain member, not the one from your DC.
>>
>> What OS are you using ?
>>
>>
>> Rowland
>>
>> -- To unsubscribe from this list go to the following URL and read
>> the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
> OK, you are using the winbind 'rid' backend on the domain member, this
> means your users will get a UID based on their 'RID' using this algorithm:
>
> ID = RID - BASE_RID + LOW_RANGE_ID
>
> The BASE_RID is usually '0' unless you explicitly set it in smb.conf
> you have set the LOW_RANGE_ID to '10000'
>
> So the algorithm becomes this:
>
> ID = RID - 0 + 10000
>
> If your users RID is 1002, the users UID will be calculated from this:
>
>
> ID = 1002 -0 + 10000
> ID = 11002
>
> The problem is that a Samba 4 AD DC uses something similar, but a
> different method is used to allocate the UID, this is done by starting the
> range from 3000000 and they seem to be allocated on a first come basis
> (this is the reason why sysvol can have different numbers on each DC)
>
> So, if you use 'rid' on domain members and idmap.ldb on DCs, you cannot
> get the same UIDs & GIDs everywhere, the only way is to use RFC2307
> attributes and set the domain members & DCs to use them.
>
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list