dahopkins at comcast.net
2013-Aug-24 23:02 UTC
[Samba] issue with multiple Samba DC and uid/gid assignment.
I have 2 Ubuntu 12.04/samba 4 servers acting as DCs for my Domain. I provisioned the Domain by using the classicupgrade (prior authentication was LDAP+Samba). I have added some new test users. I also have two files servers. One is running RHEL 5.9/Samba 3, the other Ubuntu 12.04/Samba 4. Users that have their home directories and profiles stored on the RHEL5.9/Samba 3 fileserver work correctly. Those that are mapped to the Ubuntu 12.04/Samba 4 fileserver get "permission denied" and temp profiles. It appears the issue is that for some reason, the users have different uid/gid on the 2 Samba 4 DCs .. and I don't know why. I used wbinfo to collect the following: All the accounts were created on Server 1 using the s4user script (slightly modified to provide more output to the screen for debugging) from http://linuxcostablanca.blogspot.com . However, the uid reported by the servers is different? Shouldn't server 1 have replicated this data to server 2? When I check the home directories, they have the uid associated with server 1. Example: If I create a new user, the output from the script is:> ./s4user Test24 User MyPassword staff server1Creating s4 posix user Test24 Pls enter pwd for Test24 User: Test24 User User 'Test24.User' created successfully dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,DC=us changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: 3000054 - add: gidnumber gidnumber: 513 - add:unixhomedirectory unixhomedirectory: /home/staff/Test24.User - add: loginshell loginshell: /bin/bash Modified 1 records successfully dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,DC=us changetype: modify replace: primarygroupid primarygroupid: 513 sleeping for 5 seconds Modified 1 records successfully Creating the home directory and setting ownership dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,dc=us changetype: modify add: profilePath profilePath: \\server1\profiles\Test24.User - add: homeDrive homeDrive: P: - add: homeDirectory homeDirectory: \\server1\home\staff\Test24.User sleeping for 5 seconds Modified 1 records successfully New user: Test24 POSIX-ified as follows: uid 3000054 gid 513 primaryGroupID 513 sid S-1-5-21-276688905-1455118844-2751846679-513 Then use wbinfo on each server: Server1> wbinfo -i Test24.UserDomain\Test24.User:*:3000054:513::/home/Domain/Test24.User:/bin/false Server2 wbinfo -i Test24.User Domain\Test24.User:*:3000134:100::/home/DomainTest24.User:/bin/false Notice that the group id and uid are both different. Why? The basics of the script are: samba-tool user add Username Password ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=ncs,dc=k12,dc=de,dc=us /tmp/Username Where the file Username has the entries needed to define the Unix information, and the information for the Account and Profile tabs in ADUC. Do I need to manuall run the ldbmodify command on server2 and modify the /usr/local/samba/private/sam.ldb to ensure that it is synced with server1? Sincerely, Dave Hopkins
dahopkins at comcast.net
2013-Aug-24 23:27 UTC
[Samba] issue with multiple Samba DC and uid/gid assignment.
A quick follow-on ... if I examine the local sam.ldb on the server2 via ldbedit, it appears the information is correct, but wbinfo still reports different numbers: wbinfo -i Test24.User Domain\Test24.User:*:3000134:100::/home/Domain/Test24.User:/bin/false But the information in the /usr/local/samba/private/sam.ldb is: # record 979 dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,DC=us objectClass: top objectClass: posixAccount objectClass: person objectClass: organizationalPerson objectClass: user cn: Test24.User instanceType: 4 whenCreated: 20130824224742.0Z whenChanged: 20130824224803.0Z uSNCreated: 10910 uSNChanged: 10910 name: Test24.User objectGUID: f0cafbd5-aa3e-4c45-a3d1-1009efc9709e userAccountControl: 512 codePage: 0 countryCode: 0 homeDirectory: \\server1\home\staff\Test24.User homeDrive: P: pwdLastSet: 130218580630000000 primaryGroupID: 513 profilePath: \\server1\profiles\Test24.User objectSid: S-1-5-21-276688905-1455118844-2751846679-67110336 accountExpires: 9223372036854775807 sAMAccountName: Test24.User sAMAccountType: 805306368 userPrincipalName: Test24.User at ncs.k12.de.us objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us uidNumber: 3000054 gidNumber: 513 unixHomeDirectory: /home/staff/Test24.User loginShell: /bin/bash distinguishedName: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,DC=us>wbinfo -i Test24.UserDomain\Test24.User:*:3000134:100::/home/Domain/Test24.User:/bin/false ----- Original Message ----- From: dahopkins at comcast.net To: "samba" <samba at lists.samba.org> Sent: Saturday, August 24, 2013 7:02:18 PM Subject: [Samba] issue with multiple Samba DC and uid/gid assignment. I have 2 Ubuntu 12.04/samba 4 servers acting as DCs for my Domain. I provisioned the Domain by using the classicupgrade (prior authentication was LDAP+Samba). I have added some new test users. I also have two files servers. One is running RHEL 5.9/Samba 3, the other Ubuntu 12.04/Samba 4. Users that have their home directories and profiles stored on the RHEL5.9/Samba 3 fileserver work correctly. Those that are mapped to the Ubuntu 12.04/Samba 4 fileserver get "permission denied" and temp profiles. It appears the issue is that for some reason, the users have different uid/gid on the 2 Samba 4 DCs .. and I don't know why. I used wbinfo to collect the following: All the accounts were created on Server 1 using the s4user script (slightly modified to provide more output to the screen for debugging) from http://linuxcostablanca.blogspot.com . However, the uid reported by the servers is different? Shouldn't server 1 have replicated this data to server 2? When I check the home directories, they have the uid associated with server 1. Example: If I create a new user, the output from the script is:> ./s4user Test24 User MyPassword staff server1Creating s4 posix user Test24 Pls enter pwd for Test24 User: Test24 User User 'Test24.User' created successfully dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,DC=us changetype: modify add: objectclass objectclass: posixaccount - add: uidnumber uidnumber: 3000054 - add: gidnumber gidnumber: 513 - add:unixhomedirectory unixhomedirectory: /home/staff/Test24.User - add: loginshell loginshell: /bin/bash Modified 1 records successfully dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,DC=us changetype: modify replace: primarygroupid primarygroupid: 513 sleeping for 5 seconds Modified 1 records successfully Creating the home directory and setting ownership dn: CN=Test24.User,CN=Users,DC=ncs,DC=k12,DC=de,dc=us changetype: modify add: profilePath profilePath: \\server1\profiles\Test24.User - add: homeDrive homeDrive: P: - add: homeDirectory homeDirectory: \\server1\home\staff\Test24.User sleeping for 5 seconds Modified 1 records successfully New user: Test24 POSIX-ified as follows: uid 3000054 gid 513 primaryGroupID 513 sid S-1-5-21-276688905-1455118844-2751846679-513 Then use wbinfo on each server: Server1> wbinfo -i Test24.UserDomain\Test24.User:*:3000054:513::/home/Domain/Test24.User:/bin/false Server2 wbinfo -i Test24.User Domain\Test24.User:*:3000134:100::/home/DomainTest24.User:/bin/false Notice that the group id and uid are both different. Why? The basics of the script are: samba-tool user add Username Password ldbmodify --url=/usr/local/samba/private/sam.ldb -b dc=ncs,dc=k12,dc=de,dc=us /tmp/Username Where the file Username has the entries needed to define the Unix information, and the information for the Account and Profile tabs in ADUC. Do I need to manuall run the ldbmodify command on server2 and modify the /usr/local/samba/private/sam.ldb to ensure that it is synced with server1? Sincerely, Dave Hopkins -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Sat, 2013-08-24 at 23:02 +0000, dahopkins at comcast.net wrote:> > > Notice that the group id and uid are both different. Why?How did you provision the second DC? Are they replicating OK? When they are, both DC's need: idmap_ldb use:rfc2307 = Yes in the [global] of their smb.conf On either DC, winbind will only pull uid and gid from AD. If you want to see all of rfc2307, you must use sssd or nslcd. Then getent passwd will show not only the correct uidNumber and gidNumber, but also the loginShell and unixHomeDirectory too Advice: don't use Test24.User as a username for debugging. Lose the capitalisation and the dot. HTH Steve