[Samba] Domain member server not getting updated AD attributes
Viktor Trojanovic
viktor at troja.ch
Sun May 13 09:58:52 UTC 2018
I'm running a pure Samba AD with one Samba AD DC and one member server,
both on version 4.8.1. AD is based on idmap_ldb with rfc2307 but since I'm
using (only) Win10 clients, I have to assign all group and user numbers
manually.
This set up is not new and it's been working for years already, and still
does. Yesterday, however, I noticed that I gave two users the same
uidNumber by mistake. Those users are actually both test users, that's why
I never noticed it before.
Anyway, using the RSAT, I manually changed one of the two uidNumbers so
that each user now has a unique number.
On the DC, I can verify that this worked using wbinfo -i. Both users now
have the unique number assigned to them.
$ wbinfo -i testuser1
SAMDOM\testuser1:*:10009:10000::/home/SAMDOM/testuser1:/bin/false
$ wbinfo -i testuser2
SAMDOM\testuser2:*:10010:10000::/home/SAMDOM/testuser2:/bin/false
However, on the member server which is acting as my file server, this
change is not reflected. Both wbinfo and getent still show the same
uidNumber for both users.
I tried restarting Samba on both servers, rebooting both servers, running a
sysvolcheck and subsequent repair on the DC but nothing changes, the member
server keeps showing the wrong uidNumber.
I hope someone can enlighten me as to what I missed to do as I'm quite sure
the mistake is on my side.
For reference, here are excerpts of my two smb.conf files. If you should
find other issues with them, I'd appreciate a hint.
DC smb.conf
--------------------
[global]
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
netbios name = DCSERVER
server role = active directory domain controller
dns forwarder = 192.168.1.2
idmap_ldb:use rfc2307 = yes
interfaces = lo br-lxc
bind interfaces only = Yes
[netlogon]
path = /var/lib/samba/sysvol/samdom.example.com/scripts
read only = No
write ok = Yes
acl_xattr:ignore system acls = yes
[sysvol]
path = /var/lib/samba/sysvol
read only = No
write ok = Yes
acl_xattr:ignore system acls = yes
Member Server smb.conf (without shares)
-------------------------------------
[global]
netbios name = FILESERVER
workgroup = SAMDOM
security = ADS
realm = SAMDOM.EXAMPLE.COM
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/samba_usermap
idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-99999
winbind nss info = rfc2307
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes
load printers = no
printing = bsd
printcap name = /dev/null
More information about the samba
mailing list