samba - Apr 2015 - samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.

Hai, 
?
Im try to get my id for administrator groups on both server the same. 
?
with?4.1.17 the solution was simple.. 
we stop samba on both servers. 
scp /var/lib/samba/private/idmap.ldb root at 192.168.0.2:/var/lib/samba/private/
?
started samba, and the id's where the same. 
?
Im using winbindd now with samba 4.2.1 
but... 
?
DC1:? id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy
creator owners),3000006(enterprise admins),
3000008(domain admins),3000007(schema admins),3000005(denied rodc password
replication group),3000009(BUILTIN\users),
3000000(BUILTIN\administrators)

id administrator
uid=0(root) gid=100(users) groups=0(root),100(users),3000011(group policy
creator owners),3000010(enterprise admins),
3000007(domain admins),3000009(schema admins),3000008(denied rodc password
replication group),3000001(BUILTIN\users),
3000000(BUILTIN\administrators)

see the differences here.. 
?
What am i missing.. 
Because of this the bi-directional sysvol sync does not works ok !! 
?
config used : 
# Global parameters
[global]
??????? workgroup = BAZRTD
??????? realm = ROTTERDAM.BAZUIN.NL
??????? netbios name = RTD-DC2
??????? server role = active directory domain controller
??????? server services = -dns
?
??????? idmap_ldb:use rfc2307 = yes
??????? idmap config * :backend = tdb
??????? idmap config * :range = 2000-9999
??????? idmap config BAZRTD : backend = ad
??????? idmap config BAZRTD : range = 10000-3999999
?
??????? winbind nss info = rfc2307
??????? winbind trusted domains only = no
??????? winbind use default domain = yes

?
Greetz, 
?
Louis

On 28/04/15 15:58, L.P.H. van Belle wrote:
> Hai,
>   
> Im try to get my id for administrator groups on both server the same.
>   
> with 4.1.17 the solution was simple..
> we stop samba on both servers.
> scp /var/lib/samba/private/idmap.ldb root at
192.168.0.2:/var/lib/samba/private/
>   
> started samba, and the id's where the same.
>   
> Im using winbindd now with samba 4.2.1
> but...
>   
> DC1:  id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy
creator owners),3000006(enterprise admins),
> 3000008(domain admins),3000007(schema admins),3000005(denied rodc password
replication group),3000009(BUILTIN\users),
> 3000000(BUILTIN\administrators)
>
> id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000011(group policy
creator owners),3000010(enterprise admins),
> 3000007(domain admins),3000009(schema admins),3000008(denied rodc password
replication group),3000001(BUILTIN\users),
> 3000000(BUILTIN\administrators)
>
> see the differences here..
>   
> What am i missing..
> Because of this the bi-directional sysvol sync does not works ok !!
>   
> config used :
> # Global parameters
> [global]
>          workgroup = BAZRTD
>          realm = ROTTERDAM.BAZUIN.NL
>          netbios name = RTD-DC2
>          server role = active directory domain controller
>          server services = -dns
>   
>          idmap_ldb:use rfc2307 = yes
>          idmap config * :backend = tdb
>          idmap config * :range = 2000-9999
>          idmap config BAZRTD : backend = ad
>          idmap config BAZRTD : range = 10000-3999999
>   
>          winbind nss info = rfc2307
>          winbind trusted domains only = no
>          winbind use default domain = yes
>
>   
> Greetz,
>   
> Louis
Hi Louis, Well, this line is missing: idmap config BAZRTD:schema_mode = 
rfc2307
but, does adding those lines to an AD DC actually work ? it didn't seem 
to make any difference when I tried it on an rc candidate for 4.2.

You seem to be hitting the same problem that an OP on the technical 
mailing list had, he appeared to cure it by using winbind instead of 
winbindd.

Rowland

Greetings, L.P.H. van Belle!
> Im try to get my id for administrator groups on both server the same.
> ?
> with?4.1.17 the solution was simple.. 
> we stop samba on both servers. 
> scp /var/lib/samba/private/idmap.ldb root at
192.168.0.2:/var/lib/samba/private/
> ?
> started samba, and the id's where the same. 
> ?
> Im using winbindd now with samba 4.2.1 
> but... 
> ?
> DC1:? id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy
> creator owners),3000006(enterprise admins),
> 3000008(domain admins),3000007(schema admins),3000005(denied rodc password
> replication group),3000009(BUILTIN\users),
> 3000000(BUILTIN\administrators)
> id administrator
> uid=0(root) gid=100(users) groups=0(root),100(users),3000011(group policy
> creator owners),3000010(enterprise admins),
> 3000007(domain admins),3000009(schema admins),3000008(denied rodc password
> replication group),3000001(BUILTIN\users),
> 3000000(BUILTIN\administrators)
Louis... welcome to my everyday nightmare for the past month.
> see the differences here.. 
> ?
> What am i missing.. 
> Because of this the bi-directional sysvol sync does not works ok !! 
How exactly you are syncing it?
 ?
> config used : 
> # Global parameters
> [global]
> ??????? workgroup = BAZRTD
> ??????? realm = ROTTERDAM.BAZUIN.NL
> ??????? netbios name = RTD-DC2
> ??????? server role = active directory domain controller
> ??????? server services = -dns
> ?
> ??????? idmap_ldb:use rfc2307 = yes
> ??????? idmap config * :backend = tdb
> ??????? idmap config * :range = 2000-9999
> ??????? idmap config BAZRTD : backend = ad
> ??????? idmap config BAZRTD : range = 10000-3999999
> ?
> ??????? winbind nss info = rfc2307
> ??????? winbind trusted domains only = no
> ??????? winbind use default domain = yes
Aside from "idmap config <DOMAIN> : schema_mode = rfc2307"
pointed by Rowland,
make sure you don't have overlapped UID's in idmap and SAM.


-- 
With best regards,
Andrey Repin
Tuesday, April 28, 2015 23:13:15

Sorry for my terrible english...

Hai Rowland / Andrey, 


that.. was a stupid one to miss.. 
that was because it was checking against defaults of samba, forgot to put that
one back..
and yes, tested it also with, and im noticing the same. (different id's ) 
so.. back to winbind... and now id's are same again.. 

thanks. . 

and andrey, im using my sysvol scripts to set it up. 
have a look here, https://secure.bazuin.nl/scripts/ 

new version 1.0.5 for  : 3-setup-sysvol-bidirectional.sh 

last changes.: 
# 2015-02-24: 1.0.4: corrected the mixed up of PATH and BASE in line 97 ( now
really no more double sysvol )
# 2015-04-29: 1.0.5: added extra copy of idmap.ldb, to make sure the uids/gids
on both servers are correct.
#                    samba 4.2.1 did complain about wrong uid/gids in the sync.
#                    copy of sysvol did not always work, fixed it,
#                    removed the copy of sysvol on dc2, due to above fixed not
needed anymore.
#                    added notification, when using samba 4.2 and winbindd,
which is not supported, due to different ids
#                    even when idmap.ldb is copied.
#

Greetz, 

Louis


>-----Oorspronkelijk bericht-----
>Van: Andrey Repin [mailto:anrdaemon at yandex.ru] 
>Verzonden: dinsdag 28 april 2015 22:16
>Aan: L.P.H. van Belle; samba at lists.samba.org
>Onderwerp: Re: [Samba] samba 4.2.1 copy idmap...and problems 
>with bi-directional sysvolsync.
>
>Greetings, L.P.H. van Belle!
>
>> Im try to get my id for administrator groups on both server the same.
>> ?
>> with?4.1.17 the solution was simple.. 
>> we stop samba on both servers. 
>> scp /var/lib/samba/private/idmap.ldb 
>root at 192.168.0.2:/var/lib/samba/private/
>> ?
>> started samba, and the id's where the same. 
>> ?
>> Im using winbindd now with samba 4.2.1 
>> but... 
>> ?
>> DC1:? id administrator
>> uid=0(root) gid=100(users) 
>groups=0(root),100(users),3000004(group policy
>> creator owners),3000006(enterprise admins),
>> 3000008(domain admins),3000007(schema admins),3000005(denied 
>rodc password
>> replication group),3000009(BUILTIN\users),
>> 3000000(BUILTIN\administrators)
>
>> id administrator
>> uid=0(root) gid=100(users) 
>groups=0(root),100(users),3000011(group policy
>> creator owners),3000010(enterprise admins),
>> 3000007(domain admins),3000009(schema admins),3000008(denied 
>rodc password
>> replication group),3000001(BUILTIN\users),
>> 3000000(BUILTIN\administrators)
>
>Louis... welcome to my everyday nightmare for the past month.
>
>> see the differences here.. 
>> ?
>> What am i missing.. 
>> Because of this the bi-directional sysvol sync does not works ok !! 
>
>How exactly you are syncing it?
> ?
>> config used : 
>> # Global parameters
>> [global]
>> ??????? workgroup = BAZRTD
>> ??????? realm = ROTTERDAM.BAZUIN.NL
>> ??????? netbios name = RTD-DC2
>> ??????? server role = active directory domain controller
>> ??????? server services = -dns
>> ?
>> ??????? idmap_ldb:use rfc2307 = yes
>> ??????? idmap config * :backend = tdb
>> ??????? idmap config * :range = 2000-9999
>> ??????? idmap config BAZRTD : backend = ad
>> ??????? idmap config BAZRTD : range = 10000-3999999
>> ?
>> ??????? winbind nss info = rfc2307
>> ??????? winbind trusted domains only = no
>> ??????? winbind use default domain = yes
>
>Aside from "idmap config <DOMAIN> : schema_mode = rfc2307" 
>pointed by Rowland,
>make sure you don't have overlapped UID's in idmap and SAM.
>
>
>-- 
>With best regards,
>Andrey Repin
>Tuesday, April 28, 2015 23:13:15
>
>Sorry for my terrible english...
>

On 29/04/15 08:30, L.P.H. van Belle wrote:
> Hai Rowland / Andrey,
>
>
> that.. was a stupid one to miss..
> that was because it was checking against defaults of samba, forgot to put
that one back..
> and yes, tested it also with, and im noticing the same. (different id's
)
> so.. back to winbind... and now id's are same again..
>
> thanks. .
>
> and andrey, im using my sysvol scripts to set it up.
> have a look here, https://secure.bazuin.nl/scripts/
>
> new version 1.0.5 for  : 3-setup-sysvol-bidirectional.sh
>
> last changes.:
> # 2015-02-24: 1.0.4: corrected the mixed up of PATH and BASE in line 97 (
now really no more double sysvol )
> # 2015-04-29: 1.0.5: added extra copy of idmap.ldb, to make sure the
uids/gids on both servers are correct.
> #                    samba 4.2.1 did complain about wrong uid/gids in the
sync.
> #                    copy of sysvol did not always work, fixed it,
> #                    removed the copy of sysvol on dc2, due to above fixed
not needed anymore.
> #                    added notification, when using samba 4.2 and winbindd,
which is not supported, due to different ids
> #                    even when idmap.ldb is copied.
> #
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Andrey Repin [mailto:anrdaemon at yandex.ru]
>> Verzonden: dinsdag 28 april 2015 22:16
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] samba 4.2.1 copy idmap...and problems
>> with bi-directional sysvolsync.
>>
>> Greetings, L.P.H. van Belle!
>>
>>> Im try to get my id for administrator groups on both server the
same.
>>>   
>>> with 4.1.17 the solution was simple..
>>> we stop samba on both servers.
>>> scp /var/lib/samba/private/idmap.ldb
>> root at 192.168.0.2:/var/lib/samba/private/
>>>   
>>> started samba, and the id's where the same.
>>>   
>>> Im using winbindd now with samba 4.2.1
>>> but...
>>>   
>>> DC1:  id administrator
>>> uid=0(root) gid=100(users)
>> groups=0(root),100(users),3000004(group policy
>>> creator owners),3000006(enterprise admins),
>>> 3000008(domain admins),3000007(schema admins),3000005(denied
>> rodc password
>>> replication group),3000009(BUILTIN\users),
>>> 3000000(BUILTIN\administrators)
>>> id administrator
>>> uid=0(root) gid=100(users)
>> groups=0(root),100(users),3000011(group policy
>>> creator owners),3000010(enterprise admins),
>>> 3000007(domain admins),3000009(schema admins),3000008(denied
>> rodc password
>>> replication group),3000001(BUILTIN\users),
>>> 3000000(BUILTIN\administrators)
>> Louis... welcome to my everyday nightmare for the past month.
>>
>>> see the differences here..
>>>   
>>> What am i missing..
>>> Because of this the bi-directional sysvol sync does not works ok !!
>> How exactly you are syncing it?
>>   
>>> config used :
>>> # Global parameters
>>> [global]
>>>          workgroup = BAZRTD
>>>          realm = ROTTERDAM.BAZUIN.NL
>>>          netbios name = RTD-DC2
>>>          server role = active directory domain controller
>>>          server services = -dns
>>>   
>>>          idmap_ldb:use rfc2307 = yes
>>>          idmap config * :backend = tdb
>>>          idmap config * :range = 2000-9999
>>>          idmap config BAZRTD : backend = ad
>>>          idmap config BAZRTD : range = 10000-3999999
>>>   
>>>          winbind nss info = rfc2307
>>>          winbind trusted domains only = no
>>>          winbind use default domain = yes
>> Aside from "idmap config <DOMAIN> : schema_mode =
rfc2307"
>> pointed by Rowland,
>> make sure you don't have overlapped UID's in idmap and SAM.
>>
>>
>> -- 
>> With best regards,
>> Andrey Repin
>> Tuesday, April 28, 2015 23:13:15
>>
>> Sorry for my terrible english...
>>
OK Louis, you can confirm that you get different IDs between DCs when 
using 'winbindd', so you should have logs that show this, so will you 
please log a bug report.

Rowland