[Samba] Samba 4 AD member loose membership after DC reboot

Frank frank at si.ct.upc.edu
Mon Apr 4 06:25:12 UTC 2022 

Francesc Bassas Serramià
Serveis Informàtics Campus Terrassa
C/ Colom 2
08222 Terrassa (Barcelona)
Telèfon : 93.73.98630
https://serveis.terrassa.upc.edu/sict

El 1/4/22 a les 14:00, samba-request at lists.samba.org ha escrit:
> On Thu, 2022-03-31 at 14:29 +0200, Frank via samba wrote:
>> Hi Rowland,
>>
>> thanks for your quick response.
>>
>> Here it is a member smb.conf:
>>
>> # Global parameters
>> [global]
>>           workgroup = UPC-CT
>>           realm = UPC-CT.UPC.EDU
>>           netbios name = RADI
>>           netbios aliases = RADI.UPC.ES RADI.UPC.EDU
> You cannot use netbios aliases on a Unix domain member, use a CNAME
> instead.
Got it, but I don't understand what you mean by "use a CNAME"
>
>>           security = ADS
>>
>>           log level = 5
>>           username map = /var/lib/samba/user.map
>>
>>           winbind enum users = yes
>>           winbind enum groups = yes
> Remove the above two lines when you are sure everything is working
> correctly, they should not be used in production.
Thanks, we will do it.
>
>>           winbind nss info = rfc2307
>>           winbind use default domain = Yes
>>           winbind refresh tickets = yes
>>           winbind offline logon = yes
>>           winbind cache time = 60
>>
>> idmap config * : backend = tdb
>> idmap config * : range = 100-499
>> idmap config UPC-CT:backend = ad
>> idmap config UPC-CT:schema_mode = rfc2307
>> idmap config UPC-CT:range = 500-999999
>> idmap config UPC-CT:unix_nss_info = yes
> Was this an upgrade from an NT4-style domain ?
> Even if it was, your '*' range is clobbering local system users.
>
> Rowland
Yes, you're  right. This comes from a Samba 3 PDC/BDC, and that's why 
uids are so low.

We realized that was a problem in that it is dangerous to keep it this 
way. We are going to plan a progressive uid update with caution in order 
not to mess users with repeated uids.

Anyway, could this things you noticed have something to do with the 
problem of loosing AD membership after DC rebooting?

Frank

-- 
Aquest missatge ha estat escanejat per trobar-hi virus i
contingut perillós per MailScanner i es
considera que és net.

More information about the samba mailing list