2018-07-19 23:18 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Thu, 19 Jul 2018 23:06:50 +0800 > d tbsky via samba <samba at lists.samba.org> wrote: > >> Hi: >> >> I have one samba 4.7/4.8 DC, one samba member file server (rhel 7.5 >> with samba 4.7.1), and one windows 7 member PC. >> >> if I create an account (my-account) in samba DC, I can not see it >> in the member server with "id my-account" or "getent passwd >> my-account". > > How are you creating the user ? > >> >> but if I use windows member PC to access the file server with >> my-account, then immediately "id my-account" and "getent passwd >> my-account" will work in member server. >> >> is this behavior expected? can I let samba member server get the >> newly created account immediately? > > No, it isn't, it should work fairly immediately, please post the > smb.conf from the Unix domain member. >thanks a lot for the quick help. I remember in old days it happened sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and samba DC 4.7/4.8 it now happens every time. below is the smb.conf configuration from member server [global] workgroup = SAMDOM netbios name = backup realm = AD.SAMDOM.EXAMPLE.COM security = ads idmap backend = tdb idmap config *:backend = tdb idmap config *:range = 1000000-1999999 idmap config SAMDOM:backend = ad idmap config SAMDOM:default = yes idmap config SAMDOM:range = 1000-999999 idmap config SAMDOM:schema_mode = rfc2307 winbind enum users = yes winbind enum groups = yes winbind nested groups = no winbind use default domain = yes winbind offline logon = no obey pam restrictions = no # disable printer load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes
Please see inline comments. On Thu, 19 Jul 2018 23:44:48 +0800 d tbsky <tbskyd at gmail.com> wrote:> thanks a lot for the quick help. I remember in old days it happened > sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and > samba DC 4.7/4.8 it now happens every time. > below is the smb.conf configuration from member server > > [global] > workgroup = SAMDOM > netbios name = backup > realm = AD.SAMDOM.EXAMPLE.COM > security = ads > > idmap backend = tdbRemove the above line> idmap config *:backend = tdb > idmap config *:range = 1000000-1999999 > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:default = yesYou do not need the above line.> idmap config SAMDOM:range = 1000-999999 > idmap config SAMDOM:schema_mode = rfc2307 > > winbind enum users = yes > winbind enum groups = yes > winbind nested groups = no > winbind use default domain = yes > winbind offline logon = noYou do not need the above line. I know you said in your other email that you are using samba-tool to create the users, but how, please provide an example. Rowland
2018-07-19 23:59 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> > Please see inline comments. > > On Thu, 19 Jul 2018 23:44:48 +0800 > d tbsky <tbskyd at gmail.com> wrote: > >> thanks a lot for the quick help. I remember in old days it happened >> sometimes. but after upgrade rhel 7.5 (from samba 4.6.x to 4.7.1) and >> samba DC 4.7/4.8 it now happens every time. >> below is the smb.conf configuration from member server >> >> [global] >> workgroup = SAMDOM >> netbios name = backup >> realm = AD.SAMDOM.EXAMPLE.COM >> security = ads >> >> idmap backend = tdb > > Remove the above line > >> idmap config *:backend = tdb >> idmap config *:range = 1000000-1999999 >> >> idmap config SAMDOM:backend = ad >> idmap config SAMDOM:default = yes > > You do not need the above line. > >> idmap config SAMDOM:range = 1000-999999 >> idmap config SAMDOM:schema_mode = rfc2307 >> >> winbind enum users = yes >> winbind enum groups = yes >> winbind nested groups = no >> winbind use default domain = yes >> winbind offline logon = no > > You do not need the above line. > > I know you said in your other email that you are using samba-tool to > create the users, but how, please provide an example. >Hi: sorry for the late reply. I was busy downgrade/upgrade samba versions of dc and member servers. try to tune the configuration and watch the log. today I gave up RHEL samba 4.6.x and 4.7.1 rpms and recompile samba of member servers myself. both 4.7.1 and 4.7.8 are working fine. so there are some problems with recent RHEL samba packages, although they work fine years ago. maybe mit kerberos or some other issue I don't know(is samba file server without ad-dc also infected by kerberos type?). I will try to report to RedHat bugzilla. thanks a lot for your help!