samba - May 2014 - winbind on server have different UIDs on each Member Server

Hello

I have a big problem.

I'm in labs situation with  2 domain controllers DC1,DC2 samba 4 (Ubuntu
14.04) in different networks and each of them have a client (Ubuntu 12.04).



When I want to get  uid/gid, I use "wbinfo ?i user" and I get the same
results on each clients if they have the same configuration. It's ok for
client.



But when I install winbind on servers (Ubuntu 14.04), just to be able to
use the wbinfo command, I can use "wbinfo ?i name" but on my 2 DCs I
get a
not expected result for the uid/gid. It seems that the idmap mapping is not
interpreted.



Here is my smb.conf excerpt and the results on a client and a server:



Excerpt smb.conf of server

Global parameters

[global]

                workgroup = PREVERT

                realm = PREVERT.LAN

                netbios name = DCFR

                server role = active directory domain controller

                server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate

                idmap_ldb:use rfc2307 = yes

                winbind nss info = rfc2307



[netlogon]

                path = /var/lib/samba/sysvol/prevert.lan/scripts

                read only = No



[sysvol]

                path = /var/lib/samba/sysvol

                read only = No



Excerpt smb.conf of client

[global]

; Basic server settings

  workgroup = PREVERT

  realm = PREVERT.LAN

  smb ports = 139



  log file = /var/log/samba/%m.log

  max log size = 1024



; security options

  ;hosts allow = 10.1.1. 127.0.0.1

  security = ADS

  null passwords = no

  password server = dcfr.prevert.lan

  encrypt passwords = yes

  guest ok = no

  invalid users = root bin daemon named sys tty disk mem kmem users sshd



  idmap config PREVERT:backend = rid

  idmap config PREVERT:schema_mode = rfc2307

  idmap config PREVERT:range = 10000-19999

  idmap config PREVERT:read only = yes



  winbind nss info = rfc2307





  winbind uid = 60000-70000

  winbind use default domain = Yes

  winbind enum users = Yes

  winbind enum groups = Yes





  wins server = dcfr.prevert.lan





  inherit acls = Yes







  template homedir = /home/%U

  template shell = /bin/false













Wbinfo ?I bob sur client

bob:*:11106:10513:bob:/machine1/home/bob:/bin/sh

Wbinfo ?I guy sur server

PREVERT\bob:*:10000:10000::/home/PREVERT/bob:/bin/false


Someone can help me, please.

On 23/05/14 09:56, William Antonin wrote:
> Hello
>
> I have a big problem.
>
> I'm in labs situation with  2 domain controllers DC1,DC2 samba 4
(Ubuntu
> 14.04) in different networks and each of them have a client (Ubuntu 12.04).
>
>
>
> When I want to get  uid/gid, I use "wbinfo ?i user" and I get the
same
> results on each clients if they have the same configuration. It's ok
for
> client.
>
>
>
> But when I install winbind on servers (Ubuntu 14.04), just to be able to
> use the wbinfo command, I can use "wbinfo ?i name" but on my 2
DCs I get a
> not expected result for the uid/gid. It seems that the idmap mapping is not
> interpreted.
>
>
>
> Here is my smb.conf excerpt and the results on a client and a server:
>
>
>
> Excerpt smb.conf of server
>
> Global parameters
>
> [global]
>
>                  workgroup = PREVERT
>
>                  realm = PREVERT.LAN
>
>                  netbios name = DCFR
>
>                  server role = active directory domain controller
>
>                  server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbind, ntp_signd, kcc, dnsupdate
>
>                  idmap_ldb:use rfc2307 = yes
>
>                  winbind nss info = rfc2307
>
>
>
> [netlogon]
>
>                  path = /var/lib/samba/sysvol/prevert.lan/scripts
>
>                  read only = No
>
>
>
> [sysvol]
>
>                  path = /var/lib/samba/sysvol
>
>                  read only = No
>
>
>
> Excerpt smb.conf of client
>
> [global]
>
> ; Basic server settings
>
>    workgroup = PREVERT
>
>    realm = PREVERT.LAN
>
>    smb ports = 139
>
>
>
>    log file = /var/log/samba/%m.log
>
>    max log size = 1024
>
>
>
> ; security options
>
>    ;hosts allow = 10.1.1. 127.0.0.1
>
>    security = ADS
>
>    null passwords = no
>
>    password server = dcfr.prevert.lan
>
>    encrypt passwords = yes
>
>    guest ok = no
>
>    invalid users = root bin daemon named sys tty disk mem kmem users sshd
>
>
>
>    idmap config PREVERT:backend = rid
>
>    idmap config PREVERT:schema_mode = rfc2307
>
>    idmap config PREVERT:range = 10000-19999
>
>    idmap config PREVERT:read only = yes
>
>
>
>    winbind nss info = rfc2307
>
>
>
>
>
>    winbind uid = 60000-70000
>
>    winbind use default domain = Yes
>
>    winbind enum users = Yes
>
>    winbind enum groups = Yes
>
>
>
>
>
>    wins server = dcfr.prevert.lan
>
>
>
>
>
>    inherit acls = Yes
>
>
>
>
>
>
>
>    template homedir = /home/%U
>
>    template shell = /bin/false
>
>
>
>
>
>
>
>
>
>
>
>
>
> Wbinfo ?I bob sur client
>
> bob:*:11106:10513:bob:/machine1/home/bob:/bin/sh
>
> Wbinfo ?I guy sur server
>
> PREVERT\bob:*:10000:10000::/home/PREVERT/bob:/bin/false
>
>
> Someone can help me, please.
The problem here is that the winbind on the server is not the same as 
the winbind on the clients, you are also using the rid backend on the 
clients. The only way to get consistent uid/gid's everywhere is to use 
the ad backend on the clients and give your users/groups uidNumber's 
&/or gidNumber's.

Rowland