samba - Mar 2015 - Samba 4.1 gentent, ls, no display domain user name on Primary ACDC but wbinfo -u yes

On 23/03/15 14:19, Jhon P wrote:
> It's a shame not to be able to obtain users on this DC with getent.
You Should be able to, here is an example line from running 'getent 
passwd' on my first DC:

EXAMPLE\testuser3:*:3000069:10000:Test 
User3:/home/EXAMPLE/testuser3:/bin/bash
>
> I would make the server is correctly configured and manageable, has 
> many resources to be used.
There are other problems with using a samba4 DC as a fileserver, there 
have been reports of excessive use of filespace that goes away after a 
reboot, for instance.
>
> Having UIDS eg 3000001 without knowing who owns it is a shame.
>
You can find out, if you must, but there are really no reasons to do so 
on a DC.
> Maybe upgrading to 4.2 this DC these things can work.
> Maybe try updating this DC from the sources.
>
If you update, but still use the ldb files you have now i.e. you do not 
provision and start fresh, you will probably have the same problem. You 
seem to have done everything you can to get RFC2307 working, I think the 
problem must lie in you not provisioning with rfc2307 at the
start.
> If there is something to do to solve this problem really is very helpful.
>
> If there is anything else I can do just let me know.
>
I think that the only way to ensure everything will work correctly, is 
to start again, install a new DC using either Wheezy or Jessie (Jessie 
is frozen, so should be safe to use), use either the packages from 
backports (if using wheezy) or the standard jessie packages or the 
Sernet packages (if they have issued 4.2 packages, no need to bother if 
they haven't). Once you have a new clean OS up with samba4 installed, 
provision it using this command:

samba-tool domain provision --use-rfc2307 --use-xattrs=yes --realm=<YOUR 
SAMBA REALM> --domain=<YOUR DOMAIN NAME} \
     --dns-backend=SAMBA_INTERNAL --server-role=dc 
--function-level=2008_R2 --adminpass=<YOUR ADMINISTRATOR PASSWORD>

You will however have to join your windows machines to this new domain.

Rowland
>
> Rowland I really appreciate your help and time you spent.
>
> Thank You. :-)
>

Yes im see the same as you on the member, but not in the ADDC.

A question, do you have idmap configs on the smb.conf of the ADDC?

-

Start again would be wonderful.

 But if I did that, then I can import the entire hierarchy of the domain?

 I have many OU, Group Policy and around 300 users with homes and permissions on
the directories.

This can be a big problem for fix a litle problem, i cant do it.

Thanks.
> Date: Mon, 23 Mar 2015 14:44:10 +0000
> From: rowlandpenny at googlemail.com
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba 4.1 gentent, ls, no display domain user name on
Primary ACDC but wbinfo -u yes
> 
> On 23/03/15 14:19, Jhon P wrote:
> > It's a shame not to be able to obtain users on this DC with
getent.
> 
> You Should be able to, here is an example line from running 'getent 
> passwd' on my first DC:
> 
> EXAMPLE\testuser3:*:3000069:10000:Test 
> User3:/home/EXAMPLE/testuser3:/bin/bash
> 
> >
> > I would make the server is correctly configured and manageable, has 
> > many resources to be used.
> 
> There are other problems with using a samba4 DC as a fileserver, there 
> have been reports of excessive use of filespace that goes away after a 
> reboot, for instance.
> 
> >
> > Having UIDS eg 3000001 without knowing who owns it is a shame.
> >
> 
> You can find out, if you must, but there are really no reasons to do so 
> on a DC.
> 
> > Maybe upgrading to 4.2 this DC these things can work.
> > Maybe try updating this DC from the sources.
> >
> 
> If you update, but still use the ldb files you have now i.e. you do not 
> provision and start fresh, you will probably have the same problem. You 
> seem to have done everything you can to get RFC2307 working, I think the 
> problem must lie in you not provisioning with rfc2307 at the start.
> > If there is something to do to solve this problem really is very
helpful.
> >
> > If there is anything else I can do just let me know.
> >
> 
> I think that the only way to ensure everything will work correctly, is 
> to start again, install a new DC using either Wheezy or Jessie (Jessie 
> is frozen, so should be safe to use), use either the packages from 
> backports (if using wheezy) or the standard jessie packages or the 
> Sernet packages (if they have issued 4.2 packages, no need to bother if 
> they haven't). Once you have a new clean OS up with samba4 installed, 
> provision it using this command:
> 
> samba-tool domain provision --use-rfc2307 --use-xattrs=yes --realm=<YOUR
> SAMBA REALM> --domain=<YOUR DOMAIN NAME} \
>      --dns-backend=SAMBA_INTERNAL --server-role=dc 
> --function-level=2008_R2 --adminpass=<YOUR ADMINISTRATOR PASSWORD>
> 
> You will however have to join your windows machines to this new domain.
> 
> Rowland
> 
> >
> > Rowland I really appreciate your help and time you spent.
> >
> > Thank You. :-)
> >
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 23/03/15 15:18, Jhon P wrote:
> Yes im see the same as you on the member, but not in the ADDC.
>
> A question, do you have idmap configs on the smb.conf of the ADDC?
>
>
No, I basically have what the provision provided, just the addition of 
the template lines, the idmap config lines are only of use on a member 
server, as far as I can see, that do nothing on a DC.
>
> Start again would be wonderful.
>
> But if I did that, then I can import the entire hierarchy of the domain?
>
No, sadly whilst you could dump the contents of AD to an ldif, this 
wouldn't help you much, no passwords, the SID would be incorrect etc etc.
> I have many OU, Group Policy and around 300 users with homes and 
> permissions on the directories.
>
> This can be a big problem for fix a litle problem, i cant do it.
>
Totally agree, a sledgehammer to crack a nut :-)
Just forget the DC for storing anything but authentication.

Rowland
> Thanks.
>