samba - Apr 2015 - RFC2307 attributes not being read by DC2 in 4.2.1

>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
Since "winbindd" is included in this line, shouldn't also
"-winbind"
be there? I think that when you use the normal winbind you must  
disable the internal one.

Could the simultaneous use of both winbinds be the cause of the confusion?

On 23/04/15 16:06, miguelmedalha at sapo.pt wrote:
>
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>
> Since "winbindd" is included in this line, shouldn't also
"-winbind"
> be there? I think that when you use the normal winbind you must 
> disable the internal one.
>
> Could the simultaneous use of both winbinds be the cause of the 
> confusion?
If you read what I wrote, you will see I said to replace 'winbindd' with
'winbind'. We are referring to samba 4.2.1, as standard this uses the 
separate 'winbindd' daemon instead of the 'winbind' built into
the samba
daemon.

If using the old 'winbind' cures the OP problem, then there is a problem
in the way that a 4.2.1 DC uses the 'winbindd' deamon.

Rowland

> 
> If you read what I wrote, you will see I said to replace 'winbindd'
with
> 'winbind'. We are referring to samba 4.2.1, as standard this uses
the
> separate 'winbindd' daemon instead of the 'winbind' built
into the samba
> daemon.
> 
I read what I wrote but what I am saying is something different. The 
problem may lie not in the use of winbindd per se, it may lie in the use 
of winbindd *without disabling the internal winbind*. Maybe I'm wrong but 
trying it is not so big of an effort....

Greetings, Rowland Penny!
>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>
>> Since "winbindd" is included in this line, shouldn't also
"-winbind"
>> be there? I think that when you use the normal winbind you must 
>> disable the internal one.
>>
>> Could the simultaneous use of both winbinds be the cause of the 
>> confusion?
> If you read what I wrote, you will see I said to replace 'winbindd'
with
> 'winbind'. We are referring to samba 4.2.1, as standard this uses
the
> separate 'winbindd' daemon instead of the 'winbind' built
into the samba
> daemon.
> If using the old 'winbind' cures the OP problem, then there is a
problem
> in the way that a 4.2.1 DC uses the 'winbindd' deamon.
Internal AD winbind implementation doesn't care about SAM posixAccount
mappings in sam.ldb - it reads the RFC2307 mappings from idmap.ldb, whereas
member servers read the maps from SAM.
This creates a nice clash of UID's between DC and members, even worse - it
creates a clash between idmap and sam on the DC.
I'm right now trying to conceive a plan to solve this crap.


-- 
With best regards,
Andrey Repin
Friday, April 24, 2015 00:22:11

Sorry for my terrible english...