[Samba] Domain member server not getting updated AD attributes

Viktor Trojanovic viktor at troja.ch
Sun May 13 09:58:52 UTC 2018 

I'm running a pure Samba AD with one Samba AD DC and one member server,
both on version 4.8.1. AD is based on idmap_ldb with rfc2307 but since I'm
using (only) Win10 clients, I have to assign all group and user numbers
manually.

This set up is not new and it's been working for years already, and still
does. Yesterday, however, I noticed that I gave two users the same
uidNumber by mistake. Those users are actually both test users, that's why
I never noticed it before.

Anyway, using the RSAT, I manually changed one of the two uidNumbers so
that each user now has a unique number.

On the DC, I can verify that this worked using wbinfo -i. Both users now
have the unique number assigned to them.

$ wbinfo -i testuser1
SAMDOM\testuser1:*:10009:10000::/home/SAMDOM/testuser1:/bin/false
$ wbinfo -i testuser2
SAMDOM\testuser2:*:10010:10000::/home/SAMDOM/testuser2:/bin/false

However, on the member server which is acting as my file server, this
change is not reflected. Both wbinfo and getent still show the same
uidNumber for both users.

I tried restarting Samba on both servers, rebooting both servers, running a
sysvolcheck and subsequent repair on the DC but nothing changes, the member
server keeps showing the wrong uidNumber.

I hope someone can enlighten me as to what I missed to do as I'm quite sure
the mistake is on my side.

For reference, here are excerpts of my two smb.conf files. If you should
find other issues with them, I'd appreciate a hint.

DC smb.conf
--------------------

[global]
    workgroup = SAMDOM
    realm = SAMDOM.EXAMPLE.COM
    netbios name = DCSERVER
    server role = active directory domain controller
    dns forwarder = 192.168.1.2
    idmap_ldb:use rfc2307 = yes
    interfaces = lo br-lxc
    bind interfaces only = Yes

[netlogon]
    path = /var/lib/samba/sysvol/samdom.example.com/scripts
    read only = No
    write ok = Yes
    acl_xattr:ignore system acls = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
    write ok = Yes
    acl_xattr:ignore system acls = yes


Member Server smb.conf (without shares)
-------------------------------------

[global]

  netbios name = FILESERVER
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab

  username map = /etc/samba/samba_usermap

  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = ad
  idmap config SAMDOM:schema_mode = rfc2307
  idmap config SAMDOM:range = 10000-99999

  winbind nss info = rfc2307
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  load printers = no
  printing = bsd
  printcap name = /dev/null

More information about the samba mailing list