Viktor Trojanovic
2018-May-13 09:58 UTC
[Samba] Domain member server not getting updated AD attributes
I'm running a pure Samba AD with one Samba AD DC and one member server, both on version 4.8.1. AD is based on idmap_ldb with rfc2307 but since I'm using (only) Win10 clients, I have to assign all group and user numbers manually. This set up is not new and it's been working for years already, and still does. Yesterday, however, I noticed that I gave two users the same uidNumber by mistake. Those users are actually both test users, that's why I never noticed it before. Anyway, using the RSAT, I manually changed one of the two uidNumbers so that each user now has a unique number. On the DC, I can verify that this worked using wbinfo -i. Both users now have the unique number assigned to them. $ wbinfo -i testuser1 SAMDOM\testuser1:*:10009:10000::/home/SAMDOM/testuser1:/bin/false $ wbinfo -i testuser2 SAMDOM\testuser2:*:10010:10000::/home/SAMDOM/testuser2:/bin/false However, on the member server which is acting as my file server, this change is not reflected. Both wbinfo and getent still show the same uidNumber for both users. I tried restarting Samba on both servers, rebooting both servers, running a sysvolcheck and subsequent repair on the DC but nothing changes, the member server keeps showing the wrong uidNumber. I hope someone can enlighten me as to what I missed to do as I'm quite sure the mistake is on my side. For reference, here are excerpts of my two smb.conf files. If you should find other issues with them, I'd appreciate a hint. DC smb.conf -------------------- [global] workgroup = SAMDOM realm = SAMDOM.EXAMPLE.COM netbios name = DCSERVER server role = active directory domain controller dns forwarder = 192.168.1.2 idmap_ldb:use rfc2307 = yes interfaces = lo br-lxc bind interfaces only = Yes [netlogon] path = /var/lib/samba/sysvol/samdom.example.com/scripts read only = No write ok = Yes acl_xattr:ignore system acls = yes [sysvol] path = /var/lib/samba/sysvol read only = No write ok = Yes acl_xattr:ignore system acls = yes Member Server smb.conf (without shares) ------------------------------------- [global] netbios name = FILESERVER workgroup = SAMDOM security = ADS realm = SAMDOM.EXAMPLE.COM dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab username map = /etc/samba/samba_usermap idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 winbind nss info = rfc2307 winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes load printers = no printing = bsd printcap name = /dev/null
Rowland Penny
2018-May-13 11:38 UTC
[Samba] Domain member server not getting updated AD attributes
On Sun, 13 May 2018 11:58:52 +0200 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I'm running a pure Samba AD with one Samba AD DC and one member > server, both on version 4.8.1.Are you sure AD is working correctly ? I ask this because there is a bug that comes into play if try to upgrade a DC to 4.8.0.or 4.8.1 from an earlier version.> Member Server smb.conf (without shares) > ------------------------------------- > > [global]> idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > winbind nss info = rfc2307This could be your problem,the idmap_config lines changed at 4.6.0, it should now be: idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 idmap config SAMDOM : unix_nss_info = yes You should also remove the 'winbind nss info' line Then run 'net cache flush' on the Unix domain member' Rowland
Viktor Trojanovic
2018-May-13 12:09 UTC
[Samba] Domain member server not getting updated AD attributes
Hi Rowland, On 13 May 2018 at 13:38, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 13 May 2018 11:58:52 +0200 > Viktor Trojanovic via samba <samba at lists.samba.org> wrote: > > > I'm running a pure Samba AD with one Samba AD DC and one member > > server, both on version 4.8.1. > > Are you sure AD is working correctly ? > I ask this because there is a bug that comes into play if try to > upgrade a DC to 4.8.0.or 4.8.1 from an earlier version. > >I have not noticed any other issues. Users can log in, GPOs are being properly applied, the event viewer in Windows is not complaining either.. anything specific to look for? If it matters, I'm on Arch, and I only just updated Samba, most likely directly from a version pre-4.60 and not from 4.80.> > Member Server smb.conf (without shares) > > ------------------------------------- > > > > [global] > > > idmap config SAMDOM:backend = ad > > idmap config SAMDOM:schema_mode = rfc2307 > > idmap config SAMDOM:range = 10000-99999 > > > > winbind nss info = rfc2307 > > This could be your problem,the idmap_config lines changed at 4.6.0, it > should now be: > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > idmap config SAMDOM : unix_nss_info = yes > > You should also remove the 'winbind nss info' line > > Then run 'net cache flush' on the Unix domain member' > > Rowland > >That seems to have done the trick - getent finally shows the correct user number. Thanks for that. If anyone else should come accross the same issue and wants to know more, check out: https://wiki.samba.org/index.php/Idmap_config_ad Viktor