[Samba] since i added second DC i have some trouble
Rowland penny
rpenny at samba.org
Tue Jun 14 17:16:59 UTC 2016
On 14/06/16 17:38, J. Echter wrote:
> Hi,
>
> i provisioned a domain and all went well, until i added the second dc....
>
> for example:
>
> the new DC2 tells me:
>
> getfacl /usr/local/samba/var/locks/sysvol
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134users:r-x
> user:ELEMAY\134guest:rwx
> user:ELEMAY\134domain\040guests:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134users:r-x
> group:ELEMAY\134guest:rwx
> group:ELEMAY\134domain\040guests:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134users:r-x
> default:user:ELEMAY\134guest:rwx
> default:user:ELEMAY\134domain\040guests:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134users:r-x
> default:group:ELEMAY\134guest:rwx
> default:group:ELEMAY\134domain\040guests:r-x
> default:mask::rwx
> default:other::---
>
>
> the old DC1 tells me:
>
> # file: usr/local/samba/var/locks/sysvol
> # owner: root
> # group: BUILTIN\134administrators
> user::rwx
> user:root:rwx
> user:BUILTIN\134administrators:rwx
> user:BUILTIN\134server\040operators:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:BUILTIN\134administrators:rwx
> group:BUILTIN\134server\040operators:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN\134administrators:rwx
> default:user:BUILTIN\134server\040operators:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:BUILTIN\134administrators:rwx
> default:group:BUILTIN\134server\040operators:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> smb.conf is identical:
>
> DC2:
>
> testparm
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
> workgroup = ELEMAY
> dns forwarder = 192.168.0.1
> passdb backend = samba_dsdb
> server role = active directory domain controller
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config elemay:range = 10000-99999
> idmap config elemay:schema_mode = rfc2307
> idmap config elemay:backend = ad
> idmap config *:range = 2000-9999
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> path =
> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
> read only = No
>
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> DC1:
>
> testparm
> Load smb config files from /usr/local/samba/etc/smb.conf
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[Profiles]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
> workgroup = ELEMAY
> dns forwarder = 192.168.0.1
> passdb backend = samba_dsdb
> server role = active directory domain controller
> winbind enum groups = Yes
> winbind enum users = Yes
> winbind nss info = rfc2307
> rpc_server:tcpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spoolss = embedded
> rpc_server:winreg = embedded
> rpc_server:ntsvcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server:default = external
> winbindd:use external pipes = true
> idmap config elemay:range = 10000-99999
> idmap config elemay:schema_mode = rfc2307
> idmap config elemay:backend = ad
> idmap config *:range = 2000-9999
> idmap_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
> map archive = No
> map readonly = no
> store dos attributes = Yes
> vfs objects = dfs_samba4 acl_xattr
>
>
> [netlogon]
> path =
> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
> read only = No
>
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> [Profiles]
> path = /srv/samba/Profiles/
> csc policy = disable
> profile acls = Yes
> create mask = 0600
> directory mask = 0700
> read only = No
>
> getent passwd:
>
> works on both and shows me domain users, for example:
>
> dc2:
>
> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>
>
> dc1:
>
> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>
> but, as you see, it has different numbers.
>
>
>
> what went wrong here?
>
>
> thanks
>
> juergen
>
Nothing, you just seem to be running into the same problem that a couple
of others have, idmap.ldb can and usually is different between DCs.
that makes three users this week and it is only Tuesday :-D
You can copy idmap.ldb from the first DC to any others, you would then
need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
keep the idmap.ldb files in sync.
Rowland
More information about the samba
mailing list