[Samba] since i added second DC i have some trouble
J. Echter
j.echter at echter-kuechen-elektro.de
Tue Jun 14 19:47:07 UTC 2016
Am 14.06.2016 um 21:22 schrieb lingpanda101 at gmail.com:
> On 6/14/2016 2:50 PM, J. Echter wrote:
>> Am 14.06.2016 um 20:47 schrieb lingpanda101 at gmail.com:
>>> On 6/14/2016 1:16 PM, Rowland penny wrote:
>>>> On 14/06/16 17:38, J. Echter wrote:
>>>>> Hi,
>>>>>
>>>>> i provisioned a domain and all went well, until i added the second
>>>>> dc....
>>>>>
>>>>> for example:
>>>>>
>>>>> the new DC2 tells me:
>>>>>
>>>>> getfacl /usr/local/samba/var/locks/sysvol
>>>>>
>>>>> # file: usr/local/samba/var/locks/sysvol
>>>>> # owner: root
>>>>> # group: BUILTIN\134administrators
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:BUILTIN\134administrators:rwx
>>>>> user:BUILTIN\134users:r-x
>>>>> user:ELEMAY\134guest:rwx
>>>>> user:ELEMAY\134domain\040guests:r-x
>>>>> group::rwx
>>>>> group:BUILTIN\134administrators:rwx
>>>>> group:BUILTIN\134users:r-x
>>>>> group:ELEMAY\134guest:rwx
>>>>> group:ELEMAY\134domain\040guests:r-x
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:BUILTIN\134administrators:rwx
>>>>> default:user:BUILTIN\134users:r-x
>>>>> default:user:ELEMAY\134guest:rwx
>>>>> default:user:ELEMAY\134domain\040guests:r-x
>>>>> default:group::---
>>>>> default:group:BUILTIN\134administrators:rwx
>>>>> default:group:BUILTIN\134users:r-x
>>>>> default:group:ELEMAY\134guest:rwx
>>>>> default:group:ELEMAY\134domain\040guests:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>>
>>>>> the old DC1 tells me:
>>>>>
>>>>> # file: usr/local/samba/var/locks/sysvol
>>>>> # owner: root
>>>>> # group: BUILTIN\134administrators
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> user:BUILTIN\134administrators:rwx
>>>>> user:BUILTIN\134server\040operators:r-x
>>>>> user:3000002:rwx
>>>>> user:3000003:r-x
>>>>> group::rwx
>>>>> group:BUILTIN\134administrators:rwx
>>>>> group:BUILTIN\134server\040operators:r-x
>>>>> group:3000002:rwx
>>>>> group:3000003:r-x
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:user:BUILTIN\134administrators:rwx
>>>>> default:user:BUILTIN\134server\040operators:r-x
>>>>> default:user:3000002:rwx
>>>>> default:user:3000003:r-x
>>>>> default:group::---
>>>>> default:group:BUILTIN\134administrators:rwx
>>>>> default:group:BUILTIN\134server\040operators:r-x
>>>>> default:group:3000002:rwx
>>>>> default:group:3000003:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> smb.conf is identical:
>>>>>
>>>>> DC2:
>>>>>
>>>>> testparm
>>>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>> (16384)
>>>>> Processing section "[netlogon]"
>>>>> Processing section "[sysvol]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>>
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>>> workgroup = ELEMAY
>>>>> dns forwarder = 192.168.0.1
>>>>> passdb backend = samba_dsdb
>>>>> server role = active directory domain controller
>>>>> winbind enum groups = Yes
>>>>> winbind enum users = Yes
>>>>> winbind nss info = rfc2307
>>>>> rpc_server:tcpip = no
>>>>> rpc_daemon:spoolssd = embedded
>>>>> rpc_server:spoolss = embedded
>>>>> rpc_server:winreg = embedded
>>>>> rpc_server:ntsvcs = embedded
>>>>> rpc_server:eventlog = embedded
>>>>> rpc_server:srvsvc = embedded
>>>>> rpc_server:svcctl = embedded
>>>>> rpc_server:default = external
>>>>> winbindd:use external pipes = true
>>>>> idmap config elemay:range = 10000-99999
>>>>> idmap config elemay:schema_mode = rfc2307
>>>>> idmap config elemay:backend = ad
>>>>> idmap config *:range = 2000-9999
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> idmap config * : backend = tdb
>>>>> map archive = No
>>>>> map readonly = no
>>>>> store dos attributes = Yes
>>>>> vfs objects = dfs_samba4 acl_xattr
>>>>>
>>>>>
>>>>> [netlogon]
>>>>> path =
>>>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>>>>
>>>>>
>>>>> read only = No
>>>>>
>>>>>
>>>>> [sysvol]
>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>> read only = No
>>>>>
>>>>>
>>>>> DC1:
>>>>>
>>>>> testparm
>>>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>>>>> (16384)
>>>>> Processing section "[netlogon]"
>>>>> Processing section "[sysvol]"
>>>>> Processing section "[Profiles]"
>>>>> Loaded services file OK.
>>>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>>>
>>>>> Press enter to see a dump of your service definitions
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>>> workgroup = ELEMAY
>>>>> dns forwarder = 192.168.0.1
>>>>> passdb backend = samba_dsdb
>>>>> server role = active directory domain controller
>>>>> winbind enum groups = Yes
>>>>> winbind enum users = Yes
>>>>> winbind nss info = rfc2307
>>>>> rpc_server:tcpip = no
>>>>> rpc_daemon:spoolssd = embedded
>>>>> rpc_server:spoolss = embedded
>>>>> rpc_server:winreg = embedded
>>>>> rpc_server:ntsvcs = embedded
>>>>> rpc_server:eventlog = embedded
>>>>> rpc_server:srvsvc = embedded
>>>>> rpc_server:svcctl = embedded
>>>>> rpc_server:default = external
>>>>> winbindd:use external pipes = true
>>>>> idmap config elemay:range = 10000-99999
>>>>> idmap config elemay:schema_mode = rfc2307
>>>>> idmap config elemay:backend = ad
>>>>> idmap config *:range = 2000-9999
>>>>> idmap_ldb:use rfc2307 = yes
>>>>> idmap config * : backend = tdb
>>>>> map archive = No
>>>>> map readonly = no
>>>>> store dos attributes = Yes
>>>>> vfs objects = dfs_samba4 acl_xattr
>>>>>
>>>>>
>>>>> [netlogon]
>>>>> path =
>>>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
>>>>>
>>>>>
>>>>> read only = No
>>>>>
>>>>>
>>>>> [sysvol]
>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>> read only = No
>>>>>
>>>>>
>>>>> [Profiles]
>>>>> path = /srv/samba/Profiles/
>>>>> csc policy = disable
>>>>> profile acls = Yes
>>>>> create mask = 0600
>>>>> directory mask = 0700
>>>>> read only = No
>>>>>
>>>>> getent passwd:
>>>>>
>>>>> works on both and shows me domain users, for example:
>>>>>
>>>>> dc2:
>>>>>
>>>>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>>>>
>>>>>
>>>>> dc1:
>>>>>
>>>>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>>>>
>>>>> but, as you see, it has different numbers.
>>>>>
>>>>>
>>>>>
>>>>> what went wrong here?
>>>>>
>>>>>
>>>>> thanks
>>>>>
>>>>> juergen
>>>>>
>>>> Nothing, you just seem to be running into the same problem that a
>>>> couple of others have, idmap.ldb can and usually is different between
>>>> DCs.
>>>>
>>>> that makes three users this week and it is only Tuesday :-D
>>>>
>>>> You can copy idmap.ldb from the first DC to any others, you would then
>>>> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
>>>> keep the idmap.ldb files in sync.
>>>>
>>>> Rowland
>>>>
>>>>
>>> Rowland,
>>>
>>> That shouldn't be necessary if he is using 4.2 or later correct?
>>> Isn't the use of winbindd supposed to solve this issue?
>>>
>>>
>> i'm using 4.4.4 on both dc's ;)
>>
>
> Echter,
>
> Have you tried syncing the idmap.ldb file yet? I wonder if your
> issue is related to using
>
> idmap config elemay:backend = ad
>
> Doesn't this use winbind and not winbindd? In this case you would need
> to sync idmap.ldb?
>
no i didn't yet, also this
https://wiki.samba.org/index.php/Idmap_config_ad#Using_idmap_ad_on_a_Samba_DC
tells me that winbindd is used in my case.
More information about the samba
mailing list