[Samba] Two DC but Different UID

Discussion:

Carlos A. P. Cunha

2016-06-14 15:59:15 UTC

Hello!
Own two Dcs Samba 4.4, this all OK, but ids are different:

Example DC2:
id tr005
uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)

Example DC2:
id tr005
uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)

My smb.conf is the same in both:
# Global parameters
[global]
workgroup = TESTELOCAL
realm = TESTELOCAL.INTERNO
netbios name = SAMBADC-01
server role = active directory domain controller
server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb: use RFC2307 = yes

[Netlogon]
path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
read only = No

[Sysvol]
path = / opt / samba / var / locks / sysvol
read only = No

The doubt is this and problem?
If yes, how to fix?

Thank you

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-06-14 16:00:11 UTC

Permalink

Correcting previous email

Hello!
Own two Dcs Samba 4.4, this all OK, but ids are different:

Example DC1:
id tr005
uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)

Example DC2:
id tr005
uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)

My smb.conf is the same in both:
# Global parameters
[global]
workgroup = TESTELOCAL
realm = TESTELOCAL.INTERNO
netbios name = SAMBADC-01
server role = active directory domain controller
server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb: use RFC2307 = yes

[Netlogon]
path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
read only = No

[Sysvol]
path = / opt / samba / var / locks / sysvol
read only = No

The doubt is this and problem?
If yes, how to fix?

Thank you

Post by Carlos A. P. Cunha
Hello!
id tr005
uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
id tr005
uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
# Global parameters
[global]
workgroup = TESTELOCAL
realm = TESTELOCAL.INTERNO
netbios name = SAMBADC-01
server role = active directory domain controller
server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb: use RFC2307 = yes
[Netlogon]
path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
read only = No
[Sysvol]
path = / opt / samba / var / locks / sysvol
read only = No
The doubt is this and problem?
If yes, how to fix?
Thank you

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-14 16:28:28 UTC

Permalink

Post by Carlos A. P. Cunha
Correcting previous email
Hello!
id tr005
uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
id tr005
uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
(users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
# Global parameters
[global]
workgroup = TESTELOCAL
realm = TESTELOCAL.INTERNO
netbios name = SAMBADC-01
server role = active directory domain controller
server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb: use RFC2307 = yes
[Netlogon]
path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
read only = No
[Sysvol]
path = / opt / samba / var / locks / sysvol
read only = No
The doubt is this and problem?
If yes, how to fix?
Thank you

Each DC can and probably will have different UIDs for users, this is
because the DCs use idmap.ldb and this uses 'xidNumber' attributes which
seem to be allocated on a first come basis. One way to get the same UID
numbers on all DCs, is to copy idmap.ldap from the first DC to all others
and then keep them in sync, the other is to use RFC2307 attributes.

And the best way is to do both: synchronize idmap.ldb and set up uidNumber
and gidNumber for each and every users in AD, even on MS users contained
into BUILTIN and Users containers.

If you synchronize idmap.ldb, keep it synched.
Usage of RFC2307 for MS Builtin users is to avoid future issue, once they
get all some xID from AD, they have no reason to get some irrelevant xID
from id mapping.

You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove from
that file every user and group which already have xidNumber set in AD LDAP
tree.

Finally one thing which is also important here: perform "net cache flush"
on DC for they forget old UID/GID mapped. NOTE net cache flush does flush
idmap.ldb, if some account is still inthere with bad UID/GID, that account
will get bad UID/GID until you remove it from idmap.ldb.

Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-06-14 16:31:41 UTC

Permalink

Understood, I leave dess form, or may have problems
As for examples, with fileserver (separately)?
But I already was using the RFC2307, because in both I am with the option:
idmap_ldb: use RFC2307 = yes
???

Thank you

Each DC can and probably will have different UIDs for users, this is
because the DCs use idmap.ldb and this uses 'xidNumber' attributes
which seem to be allocated on a first come basis. One way to get the
same UID numbers on all DCs, is to copy idmap.ldap from the first DC
to all others and then keep them in sync, the other is to use RFC2307
attributes.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-14 16:40:41 UTC

Permalink

That's one things to add schema in your AD, that's another thing to use
that schema.

Adding schema for rfc2307 in AD grant you possibility to set uidNumber,
gidNumber, loginShell and others attributes to your AD users. That grant
you that possibility but you are free to use that possibility.

Next step is to define xidNumber to your users.

Post by Carlos A. P. Cunha
Understood, I leave dess form, or may have problems
As for examples, with fileserver (separately)?
idmap_ldb: use RFC2307 = yes
???
Thank you

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-06-14 16:52:35 UTC

Permalink

Okay, and how to do it?

Thanks

Post by mathias dufresne
That's one things to add schema in your AD, that's another thing to
use that schema.
Adding schema for rfc2307 in AD grant you possibility to set
uidNumber, gidNumber, loginShell and others attributes to your AD
users. That grant you that possibility but you are free to use that
possibility.
Next step is to define xidNumber to your users.
Understood, I leave dess form, or may have problems
As for examples, with fileserver (separately)?
idmap_ldb: use RFC2307 = yes
???
Thank you
Correcting previous email
Hello!
id tr005
uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users)
groups = 100 (users), 3000039 (TESTELOCAL \ tr005),
3,000,009 (BUILTIN \ users)
id tr005
uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users)
groups = 100 (users), 3000023 (TESTELOCAL \ tr005),
3,000,001 (BUILTIN \ users)
# Global parameters
[global]
workgroup = TESTELOCAL
realm = TESTELOCAL.INTERNO
netbios name = SAMBADC-01
server role = active directory domain controller
server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb: use RFC2307 = yes
[Netlogon]
path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
read only = No
[Sysvol]
path = / opt / samba / var / locks / sysvol
read only = No
The doubt is this and problem?
If yes, how to fix?
Thank you
Hello!
id tr005
uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users)
groups = 100 (users), 3000039 (TESTELOCAL \ tr005),
3,000,009 (BUILTIN \ users)
id tr005
uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users)
groups = 100 (users), 3000023 (TESTELOCAL \ tr005),
3,000,001 (BUILTIN \ users)
# Global parameters
[global]
workgroup = TESTELOCAL
realm = TESTELOCAL.INTERNO
netbios name = SAMBADC-01
server role = active directory domain controller
server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP,
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
idmap_ldb: use RFC2307 = yes
[Netlogon]
path =
/opt/samba/var/locks/sysvol/testelocal.interno/scripts
read only = No
[Sysvol]
path = / opt / samba / var / locks / sysvol
read only = No
The doubt is this and problem?
If yes, how to fix?
Thank you
Each DC can and probably will have different UIDs for users,
this is because the DCs use idmap.ldb and this uses
'xidNumber' attributes which seem to be allocated on a first
come basis. One way to get the same UID numbers on all DCs, is
to copy idmap.ldap from the first DC to all others and then
keep them in sync, the other is to use RFC2307 attributes.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-06-14 16:53:44 UTC

Permalink

Okay, so how to proceed?
On my question, a problem to have different IDs?
Example if you use a fileserver.
Thank you

Post by Carlos A. P. Cunha
Understood, I leave dess form, or may have problems
As for examples, with fileserver (separately)?
idmap_ldb: use RFC2307 = yes
???
Thank you

Just because you have 'idmap_ldb: use RFC2307 = yes' in smb.conf,
doesn't mean you are using the RFC2307 attributes, it means you can
use RFC2307 attributes. You need to add the RFC2307 attributes
manually to AD yourself.
Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

J. Echter

2016-06-14 16:45:30 UTC

Permalink

Post by Carlos A. P. Cunha
Understood, I leave dess form, or may have problems
As for examples, with fileserver (separately)?
idmap_ldb: use RFC2307 = yes
???
Thank you

Just because you have 'idmap_ldb: use RFC2307 = yes' in smb.conf,
doesn't mean you are using the RFC2307 attributes, it means you can use
RFC2307 attributes. You need to add the RFC2307 attributes manually to
AD yourself.
Rowland

Hi,

any wiki page for this?

Thanks

J.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Continue reading on narkive:

Search results for '[Samba] Two DC but Different UID' (Questions and Answers)

replies

Help With mah Hair!!!?

started 2009-02-11 15:04:28 UTC

hair

replies

give some examples of literature in banking system using barcode.?

started 2008-02-01 03:24:20 UTC

homework help