[Samba] problem map uuid users and group

Rowland Penny rpenny at samba.org
Thu Jun 14 15:28:09 UTC 2018 

On Thu, 14 Jun 2018 18:02:29 +0500
Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote:

> Hi,
> How to make the user id on the domain controller and the file server
> the same
> 
> SERVER DC:
> [global]
>          netbios name = SRV-DC02
>          realm = EXAMPLE.RU
>          workgroup = EXAMPLE
>          server role = active directory domain controller
>          log level = 2 auth_json_audit:3
>          username map = /etc/samba/username_map
>          vfs objects = acl_xattr
>          store dos attributes = Yes
> 
> [root at srv-dc02 ~]# id vas.lah at example.ru
> uid=3000416(EXAMPLE\vas.lah) gid=100(users) 
> группы=100(users),3000416(EXAMPLE\vas.lah),3000051(EXAMPLE\domain 
> admins),3000054(EXAMPLE\группа с запрещением репликации паролей 
> rodc),3000055(EXAMPLE\администраторы wsus),3000056(EXAMPLE\wsus 
> administrators),3000035(EXAMPLE\1c_links_ут),3000001(BUILTIN\users),3000000(BUILTIN\administrators),3000057(BUILTIN\performance 
> log users),3000043(BUILTIN\performance monitor users)
> 
> 
> 
> SHARE:
> [global]
>    netbios name = SRV-SHARE
>    workgroup = EXAMPLE
>    realm = EXAMPLE.RU
>    server string = %h rsync host
>    # server role = member server
>    security = ads
> 
> [root at srv-share samba]# id vas.lah at example.ru
> uid=3188138(EXAMPLE.RU\vas.lah) gid=3000513(domain users) 
> группы=3000513(domain users),3188138(EXAMPLE.RU\vas.lah),3109633(wsus 
> administrators),3034556(1c_links_ут),3111123(администраторы 
> wsus),3100572(группа с запрещением репликации паролей 
> rodc),3100512(domain admins),3153446(администратор 4 
> категории),3000001(BUILTIN\users),3000000(BUILTIN\administrators)

The first thing to do, remove these lines from the Samba AD DC:

         username map = /etc/samba/username_map
         vfs objects = acl_xattr
         store dos attributes = Yes

They have no place in a Samba AD DC smb.conf.

There is only one way to have the same ID's everywhere on Unix and that
is to use the winbind 'ad' backend. This entails giving your users &
groups uidNumber & gidNumber attributes, then run 'net cache flush' on
the DC, most ID's will change.

You then need to set up the smb.conf correctly on the Unix domain
member (yours is correct as far as it goes, it just doesn't go far
enough).

Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Anything you don't understand, or have questions about, please ask.

Rowland

More information about the samba mailing list