[Samba] since i added second DC i have some trouble

Rowland penny rpenny at samba.org
Tue Jun 14 19:53:41 UTC 2016 

On 14/06/16 19:47, lingpanda101 at gmail.com wrote:
> On 6/14/2016 1:16 PM, Rowland penny wrote:
>> On 14/06/16 17:38, J. Echter wrote:
>>> Hi,
>>>
>>> i provisioned a domain and all went well, until i added the second 
>>> dc....
>>>
>>> for example:
>>>
>>> the new DC2 tells me:
>>>
>>> getfacl /usr/local/samba/var/locks/sysvol
>>>
>>> # file: usr/local/samba/var/locks/sysvol
>>> # owner: root
>>> # group: BUILTIN\134administrators
>>> user::rwx
>>> user:root:rwx
>>> user:BUILTIN\134administrators:rwx
>>> user:BUILTIN\134users:r-x
>>> user:ELEMAY\134guest:rwx
>>> user:ELEMAY\134domain\040guests:r-x
>>> group::rwx
>>> group:BUILTIN\134administrators:rwx
>>> group:BUILTIN\134users:r-x
>>> group:ELEMAY\134guest:rwx
>>> group:ELEMAY\134domain\040guests:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:BUILTIN\134administrators:rwx
>>> default:user:BUILTIN\134users:r-x
>>> default:user:ELEMAY\134guest:rwx
>>> default:user:ELEMAY\134domain\040guests:r-x
>>> default:group::---
>>> default:group:BUILTIN\134administrators:rwx
>>> default:group:BUILTIN\134users:r-x
>>> default:group:ELEMAY\134guest:rwx
>>> default:group:ELEMAY\134domain\040guests:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>>
>>> the old DC1 tells me:
>>>
>>> # file: usr/local/samba/var/locks/sysvol
>>> # owner: root
>>> # group: BUILTIN\134administrators
>>> user::rwx
>>> user:root:rwx
>>> user:BUILTIN\134administrators:rwx
>>> user:BUILTIN\134server\040operators:r-x
>>> user:3000002:rwx
>>> user:3000003:r-x
>>> group::rwx
>>> group:BUILTIN\134administrators:rwx
>>> group:BUILTIN\134server\040operators:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:user:BUILTIN\134administrators:rwx
>>> default:user:BUILTIN\134server\040operators:r-x
>>> default:user:3000002:rwx
>>> default:user:3000003:r-x
>>> default:group::---
>>> default:group:BUILTIN\134administrators:rwx
>>> default:group:BUILTIN\134server\040operators:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> smb.conf is identical:
>>>
>>> DC2:
>>>
>>> testparm
>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>> (16384)
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> Loaded services file OK.
>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>
>>> Press enter to see a dump of your service definitions
>>>
>>> # Global parameters
>>> [global]
>>>          realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>          workgroup = ELEMAY
>>>          dns forwarder = 192.168.0.1
>>>          passdb backend = samba_dsdb
>>>          server role = active directory domain controller
>>>          winbind enum groups = Yes
>>>          winbind enum users = Yes
>>>          winbind nss info = rfc2307
>>>          rpc_server:tcpip = no
>>>          rpc_daemon:spoolssd = embedded
>>>          rpc_server:spoolss = embedded
>>>          rpc_server:winreg = embedded
>>>          rpc_server:ntsvcs = embedded
>>>          rpc_server:eventlog = embedded
>>>          rpc_server:srvsvc = embedded
>>>          rpc_server:svcctl = embedded
>>>          rpc_server:default = external
>>>          winbindd:use external pipes = true
>>>          idmap config elemay:range = 10000-99999
>>>          idmap config elemay:schema_mode = rfc2307
>>>          idmap config elemay:backend = ad
>>>          idmap config *:range = 2000-9999
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config * : backend = tdb
>>>          map archive = No
>>>          map readonly = no
>>>          store dos attributes = Yes
>>>          vfs objects = dfs_samba4 acl_xattr
>>>
>>>
>>> [netlogon]
>>>          path =
>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts 
>>>
>>>          read only = No
>>>
>>>
>>> [sysvol]
>>>          path = /usr/local/samba/var/locks/sysvol
>>>          read only = No
>>>
>>>
>>> DC1:
>>>
>>> testparm
>>> Load smb config files from /usr/local/samba/etc/smb.conf
>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit 
>>> (16384)
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> Processing section "[Profiles]"
>>> Loaded services file OK.
>>> Server role: ROLE_ACTIVE_DIRECTORY_DC
>>>
>>> Press enter to see a dump of your service definitions
>>>
>>> # Global parameters
>>> [global]
>>>          realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
>>>          workgroup = ELEMAY
>>>          dns forwarder = 192.168.0.1
>>>          passdb backend = samba_dsdb
>>>          server role = active directory domain controller
>>>          winbind enum groups = Yes
>>>          winbind enum users = Yes
>>>          winbind nss info = rfc2307
>>>          rpc_server:tcpip = no
>>>          rpc_daemon:spoolssd = embedded
>>>          rpc_server:spoolss = embedded
>>>          rpc_server:winreg = embedded
>>>          rpc_server:ntsvcs = embedded
>>>          rpc_server:eventlog = embedded
>>>          rpc_server:srvsvc = embedded
>>>          rpc_server:svcctl = embedded
>>>          rpc_server:default = external
>>>          winbindd:use external pipes = true
>>>          idmap config elemay:range = 10000-99999
>>>          idmap config elemay:schema_mode = rfc2307
>>>          idmap config elemay:backend = ad
>>>          idmap config *:range = 2000-9999
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config * : backend = tdb
>>>          map archive = No
>>>          map readonly = no
>>>          store dos attributes = Yes
>>>          vfs objects = dfs_samba4 acl_xattr
>>>
>>>
>>> [netlogon]
>>>          path =
>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts 
>>>
>>>          read only = No
>>>
>>>
>>> [sysvol]
>>>          path = /usr/local/samba/var/locks/sysvol
>>>          read only = No
>>>
>>>
>>> [Profiles]
>>>          path = /srv/samba/Profiles/
>>>          csc policy = disable
>>>          profile acls = Yes
>>>          create mask = 0600
>>>          directory mask = 0700
>>>          read only = No
>>>
>>> getent passwd:
>>>
>>> works on both and shows me domain users, for example:
>>>
>>> dc2:
>>>
>>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
>>>
>>>
>>> dc1:
>>>
>>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
>>>
>>> but, as you see, it has different numbers.
>>>
>>>
>>>
>>> what went wrong here?
>>>
>>>
>>> thanks
>>>
>>> juergen
>>>
>>
>> Nothing, you just seem to be running into the same problem that a 
>> couple of others have, idmap.ldb can and usually is different between 
>> DCs.
>>
>> that makes three users this week and it is only Tuesday :-D
>>
>> You can copy idmap.ldb from the first DC to any others, you would 
>> then need to run 'samba-tool ntacl sysvolreset' on the other DCs and 
>> then keep the idmap.ldb files in sync.
>>
>> Rowland
>>
>>
>
> Rowland,
>
>     That shouldn't be necessary if he is using 4.2 or later correct? 
> Isn't the use of winbindd supposed to solve this issue?
>
>

Yes, as long as you sync via names, not numbers i.e. do not use 
'--numeric-ids' with rsync and reset sysvol after the sync.

Rowland


Rowland

More information about the samba mailing list