Discussion:
[Samba] since i added second DC i have some trouble
J. Echter
2016-06-14 16:38:29 UTC
Permalink
Hi,

i provisioned a domain and all went well, until i added the second dc....

for example:

the new DC2 tells me:

getfacl /usr/local/samba/var/locks/sysvol

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---


the old DC1 tells me:

# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

smb.conf is identical:

DC2:

testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr


[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No


[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


DC1:

testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr


[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No


[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No


[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No

getent passwd:

works on both and shows me domain users, for example:

dc2:

ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false


dc1:

ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false

but, as you see, it has different numbers.



what went wrong here?


thanks

juergen
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
J. Echter
2016-06-14 17:24:23 UTC
Permalink
Post by J. Echter
Hi,
i provisioned a domain and all went well, until i added the second dc....
getfacl /usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No
ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
but, as you see, it has different numbers.
what went wrong here?
thanks
juergen
Nothing, you just seem to be running into the same problem that a couple
of others have, idmap.ldb can and usually is different between DCs.
that makes three users this week and it is only Tuesday :-D
You can copy idmap.ldb from the first DC to any others, you would then
need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
keep the idmap.ldb files in sync.
Rowland
Hi,

i recognized that some other people may have the same situation :) But i
already posted...

So my problem was that i cant add gpo rules to my computers/users,
windows (gpupdate) told me that gpt.ini couldn't be read on one of the
servers.

I checked everything i know, and that is not much, and came to the
conclusion that the problem must be the wrong ACL's on my sysvol.

I have setup a rsync sysvol replication from DC1 -> DC2.

I read here that sharing files is a 'no go', but i do share files on
DC1. My profiles. I will move them to a NAS later on...

Does the above problem cause the issue i mentioned?

Or do i follow the totally wrong way?

I would appreciate some enlightenment :D

Any information you need i will provide happily :)

Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-06-14 18:47:21 UTC
Permalink
Post by J. Echter
Hi,
i provisioned a domain and all went well, until i added the second dc....
getfacl /usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No
ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
but, as you see, it has different numbers.
what went wrong here?
thanks
juergen
Nothing, you just seem to be running into the same problem that a
couple of others have, idmap.ldb can and usually is different between
DCs.
that makes three users this week and it is only Tuesday :-D
You can copy idmap.ldb from the first DC to any others, you would then
need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
keep the idmap.ldb files in sync.
Rowland
Rowland,

That shouldn't be necessary if he is using 4.2 or later correct?
Isn't the use of winbindd supposed to solve this issue?
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
J. Echter
2016-06-14 18:50:45 UTC
Permalink
Post by l***@gmail.com
Post by J. Echter
Hi,
i provisioned a domain and all went well, until i added the second dc....
getfacl /usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No
ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
but, as you see, it has different numbers.
what went wrong here?
thanks
juergen
Nothing, you just seem to be running into the same problem that a
couple of others have, idmap.ldb can and usually is different between
DCs.
that makes three users this week and it is only Tuesday :-D
You can copy idmap.ldb from the first DC to any others, you would then
need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
keep the idmap.ldb files in sync.
Rowland
Rowland,
That shouldn't be necessary if he is using 4.2 or later correct?
Isn't the use of winbindd supposed to solve this issue?
i'm using 4.4.4 on both dc's ;)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
l***@gmail.com
2016-06-14 19:22:54 UTC
Permalink
Post by J. Echter
Post by l***@gmail.com
Post by J. Echter
Hi,
i provisioned a domain and all went well, until i added the second dc....
getfacl /usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No
ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
but, as you see, it has different numbers.
what went wrong here?
thanks
juergen
Nothing, you just seem to be running into the same problem that a
couple of others have, idmap.ldb can and usually is different between
DCs.
that makes three users this week and it is only Tuesday :-D
You can copy idmap.ldb from the first DC to any others, you would then
need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
keep the idmap.ldb files in sync.
Rowland
Rowland,
That shouldn't be necessary if he is using 4.2 or later correct?
Isn't the use of winbindd supposed to solve this issue?
i'm using 4.4.4 on both dc's ;)
Echter,

Have you tried syncing the idmap.ldb file yet? I wonder if your
issue is related to using

idmap config elemay:backend = ad

Doesn't this use winbind and not winbindd? In this case you would need
to sync idmap.ldb?
--
-James
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
J. Echter
2016-06-14 19:47:07 UTC
Permalink
Post by l***@gmail.com
Post by J. Echter
Post by l***@gmail.com
Post by J. Echter
Hi,
i provisioned a domain and all went well, until i added the second dc....
getfacl /usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No
ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
but, as you see, it has different numbers.
what went wrong here?
thanks
juergen
Nothing, you just seem to be running into the same problem that a
couple of others have, idmap.ldb can and usually is different between
DCs.
that makes three users this week and it is only Tuesday :-D
You can copy idmap.ldb from the first DC to any others, you would then
need to run 'samba-tool ntacl sysvolreset' on the other DCs and then
keep the idmap.ldb files in sync.
Rowland
Rowland,
That shouldn't be necessary if he is using 4.2 or later correct?
Isn't the use of winbindd supposed to solve this issue?
i'm using 4.4.4 on both dc's ;)
Echter,
Have you tried syncing the idmap.ldb file yet? I wonder if your
issue is related to using
idmap config elemay:backend = ad
Doesn't this use winbind and not winbindd? In this case you would need
to sync idmap.ldb?
no i didn't yet, also this
https://wiki.samba.org/index.php/Idmap_config_ad#Using_idmap_ad_on_a_Samba_DC
tells me that winbindd is used in my case.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Continue reading on narkive:
Loading...