Thanks Steve, I will have a look at it. I think it's important to sync the idmap.ldb limits because in case of a crash of the schema master DC another DC must be seized and may not reassign already used ids in rfc2307 for new users or groups. Am 11. Dezember 2014 23:07:06 MEZ, schrieb steve <steve at steve-ss.com>:>On 11/12/14 22:50, Tim wrote: >> It will transfer the ids of idmap.ldb of the schema master DC into >the rfc2307. All secondary DCs will replicate this by DRS. >> All I'm missing is to get the max uid/gid out of idmap.ldb > >The limits are held at: >dn: CN=CONFIG >But you told us that you had gone with rfc2307. In which case nothing >new will be written there, so that is no use to you. > >Please post your non ADUC method anyway. >Cheers, >Steve > >-- >To unsubscribe from this list go to the following URL and read the >instructions: lists.samba.org/mailman/options/samba
On 11/12/14 23:15, Tim wrote:> Thanks Steve, > > I will have a look at it. I think it's important to sync the idmap.ldb > limitsIt isn't important. The limits are the same on all DCs, even if you have not copied the idmap database anywhere else. All you need to do is write the uidNumber and the gidNumber to the DN of your new users and groups. There are many ways of keeping track of what-the-next-uidNumber-should-be, which I think is your real problem. Using the idmap database in a rfc2307 provisioned domain is not one of them. Have a rethink. Cheers, Steve
On 11/12/14 22:15, Tim wrote:> Thanks Steve, > > I will have a look at it. I think it's important to sync the idmap.ldb limits because in case of a crash of the schema master DC another DC must be seized and may not reassign already used ids in rfc2307 for new users or groups. > > Am 11. Dezember 2014 23:07:06 MEZ, schrieb steve <steve at steve-ss.com>: >> On 11/12/14 22:50, Tim wrote: >>> It will transfer the ids of idmap.ldb of the schema master DC into >> the rfc2307. All secondary DCs will replicate this by DRS. >>> All I'm missing is to get the max uid/gid out of idmap.ldb >> The limits are held at: >> dn: CN=CONFIG >> But you told us that you had gone with rfc2307. In which case nothing >> new will be written there, so that is no use to you. >> >> Please post your non ADUC method anyway. >> Cheers, >> Steve >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: lists.samba.org/mailman/options/sambaI have to see this non ADUC method for setting rfc2307 attributes, I think the OP is altering idmap.ldb, something that has **NO** rfc2307 attributes in it. Rowland
On 11/12/14 23:35, Rowland Penny wrote:> On 11/12/14 22:15, Tim wrote: >> Thanks Steve, >> >> I will have a look at it. I think it's important to sync the idmap.ldb >> limits because in case of a crash of the schema master DC another DC >> must be seized and may not reassign already used ids in rfc2307 for >> new users or groups. >> >> Am 11. Dezember 2014 23:07:06 MEZ, schrieb steve <steve at steve-ss.com>: >>> On 11/12/14 22:50, Tim wrote: >>>> It will transfer the ids of idmap.ldb of the schema master DC into >>> the rfc2307. All secondary DCs will replicate this by DRS. >>>> All I'm missing is to get the max uid/gid out of idmap.ldb >>> The limits are held at: >>> dn: CN=CONFIG >>> But you told us that you had gone with rfc2307. In which case nothing >>> new will be written there, so that is no use to you. >>> >>> Please post your non ADUC method anyway. >>> Cheers, >>> Steve >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: lists.samba.org/mailman/options/samba > > I have to see this non ADUC method for setting rfc2307 attributes, I > think the OP is altering idmap.ldb, something that has **NO** rfc2307 > attributes in it. > > Rowland >We think the biggest setback to date is the misconception that new users are written to the idmap db. You could store the users there, even if you have rfc2307 specified as the OP has, but you still need to transfer them to the ad db to be replicated. BTW, the OPs nss is with sssd. Do we have sssd.conf? I think we're close to nailing this one now.
Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve <steve at steve-ss.com>:>On 11/12/14 23:15, Tim wrote: >> Thanks Steve, >> >> I will have a look at it. I think it's important to sync the >idmap.ldb >> limits > >It isn't important. The limits are the same on all DCs, even if you >have >not copied the idmap database anywhere else. All you need to do is >write >the uidNumber and the gidNumber to the DN of your new users and groups. > >There are many ways of keeping track of >what-the-next-uidNumber-should-be, which I think is your real problem.Can you give an example? Sounds interesting and would really help.>Using the idmap database in a rfc2307 provisioned domain is not one of >them. >Have a rethink. >Cheers, >Steve