[Samba] since i added second DC i have some trouble
lingpanda101 at gmail.com
lingpanda101 at gmail.com
Tue Jun 14 18:47:21 UTC 2016
On 6/14/2016 1:16 PM, Rowland penny wrote:
> On 14/06/16 17:38, J. Echter wrote:
>> Hi,
>>
>> i provisioned a domain and all went well, until i added the second
>> dc....
>>
>> for example:
>>
>> the new DC2 tells me:
>>
>> getfacl /usr/local/samba/var/locks/sysvol
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:BUILTIN\134users:r-x
>> user:ELEMAY\134guest:rwx
>> user:ELEMAY\134domain\040guests:r-x
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:BUILTIN\134users:r-x
>> group:ELEMAY\134guest:rwx
>> group:ELEMAY\134domain\040guests:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:BUILTIN\134users:r-x
>> default:user:ELEMAY\134guest:rwx
>> default:user:ELEMAY\134domain\040guests:r-x
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:BUILTIN\134users:r-x
>> default:group:ELEMAY\134guest:rwx
>> default:group:ELEMAY\134domain\040guests:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> the old DC1 tells me:
>>
>> # file: usr/local/samba/var/locks/sysvol
>> # owner: root
>> # group: BUILTIN\134administrators
>> user::rwx
>> user:root:rwx
>> user:BUILTIN\134administrators:rwx
>> user:BUILTIN\134server\040operators:r-x
>> user:3000002:rwx
>> user:3000003:r-x
>> group::rwx
>> group:BUILTIN\134administrators:rwx
>> group:BUILTIN\134server\040operators:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN\134administrators:rwx
>> default:user:BUILTIN\134server\040operators:r-x
>> default:user:3000002:rwx
>> default:user:3000003:r-x
>> default:group::---
>> default:group:BUILTIN\134administrators:rwx
>> default:group:BUILTIN\134server\040operators:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> smb.conf is identical:
>>
>> DC2:
>>
>> testparm
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>> workgroup = ELEMAY
>> dns forwarder = 192.168.0.1
>> passdb backend = samba_dsdb
>> server role = active directory domain controller
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind nss info = rfc2307
>> rpc_server:tcpip = no
>> rpc_daemon:spoolssd = embedded
>> rpc_server:spoolss = embedded
>> rpc_server:winreg = embedded
>> rpc_server:ntsvcs = embedded
>> rpc_server:eventlog = embedded
>> rpc_server:srvsvc = embedded
>> rpc_server:svcctl = embedded
>> rpc_server:default = external
>> winbindd:use external pipes = true
>> idmap config elemay:range = 10000-99999
>> idmap config elemay:schema_mode = rfc2307
>> idmap config elemay:backend = ad
>> idmap config *:range = 2000-9999
>> idmap_ldb:use rfc2307 = yes
>> idmap config * : backend = tdb
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>> path =
>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>
>> read only = No
>>
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>>
>> DC1:
>>
>> testparm
>> Load smb config files from /usr/local/samba/etc/smb.conf
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> Processing section "[Profiles]"
>> Loaded services file OK.
>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>
>> Press enter to see a dump of your service definitions
>>
>> # Global parameters
>> [global]
>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>> workgroup = ELEMAY
>> dns forwarder = 192.168.0.1
>> passdb backend = samba_dsdb
>> server role = active directory domain controller
>> winbind enum groups = Yes
>> winbind enum users = Yes
>> winbind nss info = rfc2307
>> rpc_server:tcpip = no
>> rpc_daemon:spoolssd = embedded
>> rpc_server:spoolss = embedded
>> rpc_server:winreg = embedded
>> rpc_server:ntsvcs = embedded
>> rpc_server:eventlog = embedded
>> rpc_server:srvsvc = embedded
>> rpc_server:svcctl = embedded
>> rpc_server:default = external
>> winbindd:use external pipes = true
>> idmap config elemay:range = 10000-99999
>> idmap config elemay:schema_mode = rfc2307
>> idmap config elemay:backend = ad
>> idmap config *:range = 2000-9999
>> idmap_ldb:use rfc2307 = yes
>> idmap config * : backend = tdb
>> map archive = No
>> map readonly = no
>> store dos attributes = Yes
>> vfs objects = dfs_samba4 acl_xattr
>>
>>
>> [netlogon]
>> path =
>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>
>> read only = No
>>
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>>
>> [Profiles]
>> path = /srv/samba/Profiles/
>> csc policy = disable
>> profile acls = Yes
>> create mask = 0600
>> directory mask = 0700
>> read only = No
>>
>> getent passwd:
>>
>> works on both and shows me domain users, for example:
>>
>> dc2:
>>
>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>
>>
>> dc1:
>>
>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>
>> but, as you see, it has different numbers.
>>
>>
>>
>> what went wrong here?
>>
>>
>> thanks
>>
>> juergen
>>
>
> Nothing, you just seem to be running into the same problem that a
> couple of others have, idmap.ldb can and usually is different between
> DCs.
>
> that makes three users this week and it is only Tuesday :-D
>
> You can copy idmap.ldb from the first DC to any others, you would then
> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
> keep the idmap.ldb files in sync.
>
> Rowland
>
>
Rowland,
That shouldn't be necessary if he is using 4.2 or later correct?
Isn't the use of winbindd supposed to solve this issue?
--
-James
More information about the samba
mailing list