samba - Dec 2014 - Samba 4 two DCs no matching UID/GID

My idea is similar. Today I didn't had the time to go on.

But this my concept and it works with a short script (example for groups):

DC1 (schema master)
for loop on wbinfo -g will
check if rfc2307 info is null for these groups in AD (ldbsearch)
when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then exit
else update rfc2307 info by importing created ldif file (ldbmodify)

To get this faster an extra file with set rfc2307 gids will be needed and needs
to be updated.

For failover reasons idmap.ldp should be synced to secondary DCs or if possible
its max gid number should be updated on secondary DCs.

Regards
Tim



Am 12. Dezember 2014 10:19:07 MEZ, schrieb steve <steve at
steve-ss.com>:
>On 12/12/14 07:10, Tim wrote:
>>
>>
>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
><steve at steve-ss.com>:
>>> On 11/12/14 23:15, Tim wrote:
>>>> Thanks Steve,
>>>>
>>>> I will have a look at it. I think it's important to sync
the
>>> idmap.ldb
>>>> limits
>>>
>>> It isn't important. The limits are the same on all DCs, even if
you
>>> have
>>> not copied the idmap database anywhere else. All you need to do is
>>> write
>>> the uidNumber and the gidNumber to the DN of your new users and
>groups.
>>>
>>> There are many ways of keeping track of
>>> what-the-next-uidNumber-should-be, which I think is your real
>problem.
>>
>>
>> Can you give an example? Sounds interesting and would really help.
>>
>On way.
>Turn on enumeration.
>getent passwd and redirect to a file. read each line, cut the 3rd field
>
>(':' is the delimiter) and append to a second file. Find the biggest
>number and then add 1.
>There are as many ways as people using rfc2307...
>HTH
>Steve

On 12/12/14 20:31, Tim wrote:
> My idea is similar. Today I didn't had the time to go on.
>
> But this my concept and it works with a short script (example for groups):
>
> DC1 (schema master)
> for loop on wbinfo -g will
> check if rfc2307 info is null for these groups in AD (ldbsearch)
> when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then exit
> else update rfc2307 info by importing created ldif file (ldbmodify)
You only really need to give Domain Users & Domain Admins a gidNumber, 
also you just need to check if the group has a gidNumber and if it 
doesn't, update the group by adding the next available gidNumber. The 
same goes for a user.

I also told you where AD normally stores the next uidNumber & gidNumber.

Rowland

>
> To get this faster an extra file with set rfc2307 gids will be needed and
needs to be updated.
>
> For failover reasons idmap.ldp should be synced to secondary DCs or if
possible its max gid number should be updated on secondary DCs.
>
> Regards
> Tim
>
>
>
> Am 12. Dezember 2014 10:19:07 MEZ, schrieb steve <steve at
steve-ss.com>:
>> On 12/12/14 07:10, Tim wrote:
>>>
>>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
>> <steve at steve-ss.com>:
>>>> On 11/12/14 23:15, Tim wrote:
>>>>> Thanks Steve,
>>>>>
>>>>> I will have a look at it. I think it's important to
sync the
>>>> idmap.ldb
>>>>> limits
>>>> It isn't important. The limits are the same on all DCs,
even if you
>>>> have
>>>> not copied the idmap database anywhere else. All you need to do
is
>>>> write
>>>> the uidNumber and the gidNumber to the DN of your new users and
>> groups.
>>>> There are many ways of keeping track of
>>>> what-the-next-uidNumber-should-be, which I think is your real
>> problem.
>>>
>>> Can you give an example? Sounds interesting and would really help.
>>>
>> On way.
>> Turn on enumeration.
>> getent passwd and redirect to a file. read each line, cut the 3rd field
>>
>> (':' is the delimiter) and append to a second file. Find the
biggest
>> number and then add 1.
>> There are as many ways as people using rfc2307...
>> HTH
>> Steve

Why only Domain Users and Domain Admins? I can't follow.
But a good idea you've had. So a script can possibly be run on every DC the
same. I will check and verify.

What about built-in objects like system? These are not available in ADUC if my
memory doesn't fail now.
Will there be a problem when other built-in objects get a rfc gid/uid. E.g. for
now wbinfo resolves uid 0 for administrator.

Am 12. Dezember 2014 22:19:45 MEZ, schrieb Rowland Penny <rowlandpenny at
googlemail.com>:
>On 12/12/14 20:31, Tim wrote:
>> My idea is similar. Today I didn't had the time to go on.
>>
>> But this my concept and it works with a short script (example for
>groups):
>>
>> DC1 (schema master)
>> for loop on wbinfo -g will
>> check if rfc2307 info is null for these groups in AD (ldbsearch)
>> when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then
>exit
>> else update rfc2307 info by importing created ldif file (ldbmodify)
>
>You only really need to give Domain Users & Domain Admins a gidNumber, 
>also you just need to check if the group has a gidNumber and if it 
>doesn't, update the group by adding the next available gidNumber. The 
>same goes for a user.
>
>I also told you where AD normally stores the next uidNumber &
>gidNumber.
>
>Rowland
>
>
>>
>> To get this faster an extra file with set rfc2307 gids will be needed
>and needs to be updated.
>>
>> For failover reasons idmap.ldp should be synced to secondary DCs or
>if possible its max gid number should be updated on secondary DCs.
>>
>> Regards
>> Tim
>>
>>
>>
>> Am 12. Dezember 2014 10:19:07 MEZ, schrieb steve
><steve at steve-ss.com>:
>>> On 12/12/14 07:10, Tim wrote:
>>>>
>>>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
>>> <steve at steve-ss.com>:
>>>>> On 11/12/14 23:15, Tim wrote:
>>>>>> Thanks Steve,
>>>>>>
>>>>>> I will have a look at it. I think it's important to
sync the
>>>>> idmap.ldb
>>>>>> limits
>>>>> It isn't important. The limits are the same on all DCs,
even if
>you
>>>>> have
>>>>> not copied the idmap database anywhere else. All you need
to do is
>>>>> write
>>>>> the uidNumber and the gidNumber to the DN of your new users
and
>>> groups.
>>>>> There are many ways of keeping track of
>>>>> what-the-next-uidNumber-should-be, which I think is your
real
>>> problem.
>>>>
>>>> Can you give an example? Sounds interesting and would really
help.
>>>>
>>> On way.
>>> Turn on enumeration.
>>> getent passwd and redirect to a file. read each line, cut the 3rd
>field
>>>
>>> (':' is the delimiter) and append to a second file. Find
the biggest
>>> number and then add 1.
>>> There are as many ways as people using rfc2307...
>>> HTH
>>> Steve
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba