samba - Feb 2008 - Adding a second server, SIDs in security tab?

Hi everyone.
I added a new server a few days ago to an existing Domain Controller 
cluster that
has been working fine for over a year.
(Debian Linux, DRBD, Linux-HA, etc.)
This server is just being used for more space, basically.
Users log in normally and map a drive to this new server and all seems 
to be well.
This server is mapped in a kixtart script to G: and the 'main' server is
mapped to F:
When you look at the security tab on any client machine you see for groups
Unix Group\1017, for example.
For the user, you see Unknown User and their SID.
All clients are Windows XP Pro.

If you do the same on a file or directory in F: you do not see this, you 
see the user and groups normally...
but that is the working PDC.
I am sure that LDAP is working properly on both servers, the new one is 
using the LDAP server on the main server
and 'getent group' and passwd show me the users in LDAP and passwd, etc.
I can run ls -l on any directory in the share and see the user and group 
names as I expect, not numerical values.
net groupmap list shows me the same on both servers, etc.

I have never added a second server to just basically be a 'share' server
before, so I configured it in a manner that seemed logical to me, but it 
is probably wrong. <g>
I did not place it in debug to see what is going on in depth because it 
is being used at the moment.
Anyone have an idea on what I may have set wrong or just plain omitted?

Here is the config to the second server... it's basically pretty plain.

[global]
        workgroup = LCB
        netbios name = Images
        passdb backend = ldapsam:ldap://10.1.1.5
        idmap backend = ldap:ldap://10.1.1.5
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 10000
        logon path         domain logons = no
        os level = 10
        domain master = no
        ldap admin dn = cn=admin,dc=domain,dc=com
        ldap group suffix = ou=groups
        ldap machine suffix = ou=machines
        ldap passwd sync = Yes
        ldap suffix = dc=domain,dc=com
        ldap user suffix = ou=users
        panic action = /usr/share/samba/panic-action %d
        oplocks = No
        level2 oplocks = No

[files]
        comment = Images
        path = /srv/files
        read only = No
        vfs objects = recycle
        recycle:noversions = *.doc
        recycle:exclude_dir = /tmp
        recycle:exclude = *.tmp
        recycle:maxsize = 0
        recycle:versions = Yes
        recycle:touch = Yes
        recycle:keeptree = Yes
        recycle:repository = /srv/deleted/%U

On Tue, 2008-02-05 at 13:24 -0500, Mark Rutherford
wrote:
> 
> I have never added a second server to just basically be a 'share'
> server 
> before, so I configured it in a manner that seemed logical to me, but
> it 
> is probably wrong. <g>
Indeed you did.

2 solutions:

1.Configure it with security = domain and join it to the PDC, remove all
ldap stuff from smb.conf it will never directly authenticate or touch
anything in there, the PDC qill do the job.

2.Configure it as a BDC making sure you set the same SID as set on the
PDC.


Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>