But will this idmap.ldb change work for upcoming new users or groups so that uid/gid will not be different? The wiki tells us about built-in groups. Those have the right ids. Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 09/12/14 21:07, Tim wrote: >> Hello all, >> >> I have a fresh install of two CentOS 7 machines. On DC1 I made a >domain provision with --use-rfc2307. In DC2 I made a join as DC - both >exactly as the wiki advised. >> >> In fact of its missing I added the idmap use rfc2307 yes parameter to >smb.conf. >> >> I will have an extra share on both DCs. >> >> Today I realized, that wbinfo shows different UID/GID for the same >users or groups on the DC's. >> >> I created the users/groups via RSAT. I don't have a Unix attributes >tab in RSAT. Is that my problem for different uid/gid? >> >> Thanks in advance >> Tim > >Hi, I think your problem is that idmap.ldb does not replicate to the >new >DC, this means that users get different UID's on the two DC's. > >If you run: > >ldbedit -e nano -H /var/lib/samba/private/idmap.ldb > >on each DC, you will be able to see the differences. > >The cure ? copy idmap.ldb from the first DC to any secondary DC's after > >the join. > >It is documented here: >https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near the >bottom >of the page. > >Rowland >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 09/12/14 23:49, Tim wrote:> But will this idmap.ldb change work for upcoming new users or groups so that uid/gid will not be different?Hi No. You have specified rfc2307 so the DC expects the uidNumber and gidNumber attributes to be stored under the DN of your users and groups. You can do this easily when you create the objects with samba-tool. If you have some already, add the attributes using ldbedit. You will also need to adjust where your nss information. We have already tried to help you with this, but you have not replied. It is very difficult for us to help you with the information you have supplied as e need to make several guesses as to what you have done. Cheers, Steve> > The wiki tells us about built-in groups. Those have the right ids. > > > > Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>: >> On 09/12/14 21:07, Tim wrote: >>> Hello all, >>> >>> I have a fresh install of two CentOS 7 machines. On DC1 I made a >> domain provision with --use-rfc2307. In DC2 I made a join as DC - both >> exactly as the wiki advised. >>> >>> In fact of its missing I added the idmap use rfc2307 yes parameter to >> smb.conf. >>> >>> I will have an extra share on both DCs. >>> >>> Today I realized, that wbinfo shows different UID/GID for the same >> users or groups on the DC's. >>> >>> I created the users/groups via RSAT. I don't have a Unix attributes >> tab in RSAT. Is that my problem for different uid/gid? >>> >>> Thanks in advance >>> Tim >> >> Hi, I think your problem is that idmap.ldb does not replicate to the >> new >> DC, this means that users get different UID's on the two DC's. >> >> If you run: >> >> ldbedit -e nano -H /var/lib/samba/private/idmap.ldb >> >> on each DC, you will be able to see the differences. >> >> The cure ? copy idmap.ldb from the first DC to any secondary DC's after >> >> the join. >> >> It is documented here: >> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near the >> bottom >> of the page. >> >> Rowland >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
On 09/12/14 22:49, Tim wrote:> But will this idmap.ldb change work for upcoming new users or groups > so that uid/gid will not be different? > > The wiki tells us about built-in groups. Those have the right ids. > > > > Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny > <rowlandpenny at googlemail.com>: > > On 09/12/14 21:07, Tim wrote: > > Hello all, I have a fresh install of two CentOS 7 machines. On > DC1 I made a domain provision with --use-rfc2307. In DC2 I > made a join as DC - both exactly as the wiki advised. In fact > of its missing I added the idmap use rfc2307 yes parameter to > smb.conf. I will have an extra share on both DCs. Today I > realized, that wbinfo shows different UID/GID for the same > users or groups on the DC's. I created the users/groups via > RSAT. I don't have a Unix attributes tab in RSAT. Is that my > problem for different uid/gid? Thanks in advance Tim > > > Hi, I think your problem is that idmap.ldb does not replicate to the new > DC, this means that users get different UID's on the two DC's. > > If you run: > > ldbedit -e nano -H /var/lib/samba/private/idmap.ldb > > on each DC, you will be able to see the differences. > > The cure ? copy idmap.ldb from the first DC to any secondary DC's after > the join. > > It is documented here: > https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near the bottom > of the page. > > Rowland >I take it that you didn't read this page on the wiki: https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO You are running into one of the problems why it is not recommended to use the DC as a fileserver, you have two choices here, either set up a separate member server to use as a fileserver, or use sssd or nlscd to pull the RFC2307 attributes that you will need to add to the users/groups. Whatever you do, you will need to copy idmap.ldb to any secondary DC's. Rowland
On 10/12/14 12:21, rintimtim at gmx.net wrote:> Thanks for the advice of copying the idmap.ldb. That works. > After adding zum users the uid and gid begin to differ again. I read > that it is not recommended to run a DC as a fileserver but in my case > it's not really an option. It's a network of twelve clients, so four > servers are incommensurate to this amount of clients. > I searched regarding sssd, because my nsswitch.conf also has it. But > how do I have to configure it all? > My actual nsswitch.conf provides the following: > passwd: files sss > shadow: files sss > group: files sss > services: files sss > netgroup: files sss > Another alternative seems to be regarding the idmap.ldb with my > unidirectional rsync replication of the sysvol-folder. > *Gesendet:* Mittwoch, 10. Dezember 2014 um 11:01 Uhr > *Von:* "Rowland Penny" <rowlandpenny at googlemail.com> > *An:* Tim <rintimtim at gmx.net>, samba at lists.samba.org > *Betreff:* Re: [Samba] Samba 4 two DCs no matching UID/GID > On 09/12/14 22:49, Tim wrote: > > But will this idmap.ldb change work for upcoming new users or > groups so that uid/gid will not be different? > > The wiki tells us about built-in groups. Those have the right ids. > > > Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny > <rowlandpenny at googlemail.com>: > > On 09/12/14 21:07, Tim wrote: > > Hello all, I have a fresh install of two CentOS 7 > machines. On DC1 I made a domain provision with > --use-rfc2307. In DC2 I made a join as DC - both exactly > as the wiki advised. In fact of its missing I added the > idmap use rfc2307 yes parameter to smb.conf. I will have > an extra share on both DCs. Today I realized, that wbinfo > shows different UID/GID for the same users or groups on > the DC's. I created the users/groups via RSAT. I don't > have a Unix attributes tab in RSAT. Is that my problem for > different uid/gid? Thanks in advance Tim > > Hi, I think your problem is that idmap.ldb does not replicate > to the new DC, this means that users get different UID's on > the two DC's. If you run: ldbedit -e nano -H > /var/lib/samba/private/idmap.ldb on each DC, you will be able > to see the differences. The cure ? copy idmap.ldb from the > first DC to any secondary DC's after the join. It is > documented here: > https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near > the bottom of the page. Rowland > > > I take it that you didn't read this page on the wiki: > https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO > > You are running into one of the problems why it is not recommended to > use the DC as a fileserver, you have two choices here, either set up a > separate member server to use as a fileserver, or use sssd or nlscd to > pull the RFC2307 attributes that you will need to add to the users/groups. > > Whatever you do, you will need to copy idmap.ldb to any secondary DC's. > > RowlandDid you search on the samba wiki ???? : https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd Rowland
I found this. But I didn't find it related to DC idmapping replication. I have two pieces of hardware. My goal is realize an active directory for the windows clients and a file server. The AD should have redundancy (this is why I provisioned two DCs). The file should integrate snapshots like a NetApp system (snapshots are done by rsnapshot). The snapshot functionality works so far by mounting cifs shares read only of the backup hardware. But I will try this via NFS due to permissions. Mounting cifs shares leads to irritating permissions of ~snapshot folders ("Everyone" has full permissions). So how would sssd help to replicate the ids regarding idmapping to the secondary DC? It seems that this is my only problem. Another option is to have only one DC with NFS regarding snapshots and a file server who is integrating the snapshots as mentioned above. But then I have to backup the idmapping file of the file server or does it get the ids from the AD DC so that I don't have to backup? The FS stores the ACL by using the IDs. I am using XFS. Thanks in advance Tim Am 10. Dezember 2014 13:48:40 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:>On 10/12/14 12:21, rintimtim at gmx.net wrote: >> Thanks for the advice of copying the idmap.ldb. That works. >> After adding zum users the uid and gid begin to differ again. I read >> that it is not recommended to run a DC as a fileserver but in my case > >> it's not really an option. It's a network of twelve clients, so four >> servers are incommensurate to this amount of clients. >> I searched regarding sssd, because my nsswitch.conf also has it. But >> how do I have to configure it all? >> My actual nsswitch.conf provides the following: >> passwd: files sss >> shadow: files sss >> group: files sss >> services: files sss >> netgroup: files sss >> Another alternative seems to be regarding the idmap.ldb with my >> unidirectional rsync replication of the sysvol-folder. >> *Gesendet:* Mittwoch, 10. Dezember 2014 um 11:01 Uhr >> *Von:* "Rowland Penny" <rowlandpenny at googlemail.com> >> *An:* Tim <rintimtim at gmx.net>, samba at lists.samba.org >> *Betreff:* Re: [Samba] Samba 4 two DCs no matching UID/GID >> On 09/12/14 22:49, Tim wrote: >> >> But will this idmap.ldb change work for upcoming new users or >> groups so that uid/gid will not be different? >> >> The wiki tells us about built-in groups. Those have the right >ids. >> >> >> Am 9. Dezember 2014 23:03:44 MEZ, schrieb Rowland Penny >> <rowlandpenny at googlemail.com>: >> >> On 09/12/14 21:07, Tim wrote: >> >> Hello all, I have a fresh install of two CentOS 7 >> machines. On DC1 I made a domain provision with >> --use-rfc2307. In DC2 I made a join as DC - both exactly >> as the wiki advised. In fact of its missing I added the >> idmap use rfc2307 yes parameter to smb.conf. I will have >> an extra share on both DCs. Today I realized, that wbinfo >> shows different UID/GID for the same users or groups on >> the DC's. I created the users/groups via RSAT. I don't >> have a Unix attributes tab in RSAT. Is that my problem >for >> different uid/gid? Thanks in advance Tim >> >> Hi, I think your problem is that idmap.ldb does not replicate >> to the new DC, this means that users get different UID's on >> the two DC's. If you run: ldbedit -e nano -H >> /var/lib/samba/private/idmap.ldb on each DC, you will be able >> to see the differences. The cure ? copy idmap.ldb from the >> first DC to any secondary DC's after the join. It is >> documented here: >> https://wiki.samba.org/index.php/Join_a_domain_as_a_DC , near >> the bottom of the page. Rowland >> >> >> I take it that you didn't read this page on the wiki: >> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO >> >> You are running into one of the problems why it is not recommended to > >> use the DC as a fileserver, you have two choices here, either set up >a >> separate member server to use as a fileserver, or use sssd or nlscd >to >> pull the RFC2307 attributes that you will need to add to the >users/groups. >> >> Whatever you do, you will need to copy idmap.ldb to any secondary >DC's. >> >> Rowland > >Did you search on the samba wiki ???? : >https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd > >Rowland > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba