[Samba] DCs demote / change IP / re-join mistakes

lperoma at icloud.com lperoma at icloud.com
Sat Oct 29 12:10:52 UTC 2022 

Cheers Rowland

> On 29 Oct 2022, at 12:10, Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> 
> 
> On 29/10/2022 10:44, Luis via samba wrote:
>> Hi guys,
>> Greetings. My first post to the list. I have had a working Samba environment for years with no major problems, 3 DCs + 2 Member servers. Some history:
>> DC1 was the initial DC, provisioned with --use-rfc2307. (Debian 9 initially) All worked fine.
> 
> First you have got understand what happens when you provision with '--use-rfc2307'. It adds a line to the smb.conf
> idmap_ldb:use rfc2307 = yes
> 
> But more importantly it adds an ldif to AD
> /usr/share/samba/setup/ypServ30.ldif
> 
> That is what happens, but what does it do ?
> It does what it says. if you add uidNumber & gidNumber attributes to AD, these will be used instead of the xidNumber attributes found in idmap.ldb, but only on a DC. You will need to configure the smb.conf on Unix domain members to use the 'ad' idmap backend.
>> Second DC, DC2, was joined with:
>> samba-tool domain join mad.mater.int DC -U"MAD\luis" --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes’ , Debian 9 too, idmap.ldb was backed up from DC1 and copied to DC2, and Rsync SYSVOL replication in place.
> 
> All that option does is to add 'idmap_ldb:use rfc2307 = yes' to the DC's smb.conf, so if you didn't use the option during the DC join, you can just add it manually, but you only need the line if you have added uidNumber & gidNumber attributes to AD and then only if your users will login to the DC.
> 
> Rowland
> 

So what is the state of my AD ? 

DC3 is untouched 
DC1 and DC2 were joined as per the initial mail without --use-rfc2307 and without replacing idmap.ldb from the other DC.

Can I assume the first mistake (re-joined without --use-rfc2307) has no consequences, as the line was already in smb.conf and creating the ldif ypServ30.ldif is only done at domain provision, not joining ?

And second, do I have 3 different idmap.ldb in the domain ? Or is this file replicated from the DC that has the PDC_Emulator FSMO role role ?

If there are different, Is there anything I can do to sync the idmap.ldb file , and from what DC ? DC3 that was untouched ?

Thanks again, all the best,

More information about the samba mailing list