L.P.H. van Belle
2015-Apr-28 14:58 UTC
[Samba] samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.
Hai, ? Im try to get my id for administrator groups on both server the same. ? with?4.1.17 the solution was simple.. we stop samba on both servers. scp /var/lib/samba/private/idmap.ldb root at 192.168.0.2:/var/lib/samba/private/ ? started samba, and the id's where the same. ? Im using winbindd now with samba 4.2.1 but... ? DC1:? id administrator uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins), 3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users), 3000000(BUILTIN\administrators) id administrator uid=0(root) gid=100(users) groups=0(root),100(users),3000011(group policy creator owners),3000010(enterprise admins), 3000007(domain admins),3000009(schema admins),3000008(denied rodc password replication group),3000001(BUILTIN\users), 3000000(BUILTIN\administrators) see the differences here.. ? What am i missing.. Because of this the bi-directional sysvol sync does not works ok !! ? config used : # Global parameters [global] ??????? workgroup = BAZRTD ??????? realm = ROTTERDAM.BAZUIN.NL ??????? netbios name = RTD-DC2 ??????? server role = active directory domain controller ??????? server services = -dns ? ??????? idmap_ldb:use rfc2307 = yes ??????? idmap config * :backend = tdb ??????? idmap config * :range = 2000-9999 ??????? idmap config BAZRTD : backend = ad ??????? idmap config BAZRTD : range = 10000-3999999 ? ??????? winbind nss info = rfc2307 ??????? winbind trusted domains only = no ??????? winbind use default domain = yes ? Greetz, ? Louis
Rowland Penny
2015-Apr-28 15:08 UTC
[Samba] samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.
On 28/04/15 15:58, L.P.H. van Belle wrote:> Hai, > > Im try to get my id for administrator groups on both server the same. > > with 4.1.17 the solution was simple.. > we stop samba on both servers. > scp /var/lib/samba/private/idmap.ldb root at 192.168.0.2:/var/lib/samba/private/ > > started samba, and the id's where the same. > > Im using winbindd now with samba 4.2.1 > but... > > DC1: id administrator > uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy creator owners),3000006(enterprise admins), > 3000008(domain admins),3000007(schema admins),3000005(denied rodc password replication group),3000009(BUILTIN\users), > 3000000(BUILTIN\administrators) > > id administrator > uid=0(root) gid=100(users) groups=0(root),100(users),3000011(group policy creator owners),3000010(enterprise admins), > 3000007(domain admins),3000009(schema admins),3000008(denied rodc password replication group),3000001(BUILTIN\users), > 3000000(BUILTIN\administrators) > > see the differences here.. > > What am i missing.. > Because of this the bi-directional sysvol sync does not works ok !! > > config used : > # Global parameters > [global] > workgroup = BAZRTD > realm = ROTTERDAM.BAZUIN.NL > netbios name = RTD-DC2 > server role = active directory domain controller > server services = -dns > > idmap_ldb:use rfc2307 = yes > idmap config * :backend = tdb > idmap config * :range = 2000-9999 > idmap config BAZRTD : backend = ad > idmap config BAZRTD : range = 10000-3999999 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > > > Greetz, > > LouisHi Louis, Well, this line is missing: idmap config BAZRTD:schema_mode = rfc2307 but, does adding those lines to an AD DC actually work ? it didn't seem to make any difference when I tried it on an rc candidate for 4.2. You seem to be hitting the same problem that an OP on the technical mailing list had, he appeared to cure it by using winbind instead of winbindd. Rowland
Andrey Repin
2015-Apr-28 20:16 UTC
[Samba] samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.
Greetings, L.P.H. van Belle!> Im try to get my id for administrator groups on both server the same. > ? > with?4.1.17 the solution was simple.. > we stop samba on both servers. > scp /var/lib/samba/private/idmap.ldb root at 192.168.0.2:/var/lib/samba/private/ > ? > started samba, and the id's where the same. > ? > Im using winbindd now with samba 4.2.1 > but... > ? > DC1:? id administrator > uid=0(root) gid=100(users) groups=0(root),100(users),3000004(group policy > creator owners),3000006(enterprise admins), > 3000008(domain admins),3000007(schema admins),3000005(denied rodc password > replication group),3000009(BUILTIN\users), > 3000000(BUILTIN\administrators)> id administrator > uid=0(root) gid=100(users) groups=0(root),100(users),3000011(group policy > creator owners),3000010(enterprise admins), > 3000007(domain admins),3000009(schema admins),3000008(denied rodc password > replication group),3000001(BUILTIN\users), > 3000000(BUILTIN\administrators)Louis... welcome to my everyday nightmare for the past month.> see the differences here.. > ? > What am i missing.. > Because of this the bi-directional sysvol sync does not works ok !!How exactly you are syncing it? ?> config used : > # Global parameters > [global] > ??????? workgroup = BAZRTD > ??????? realm = ROTTERDAM.BAZUIN.NL > ??????? netbios name = RTD-DC2 > ??????? server role = active directory domain controller > ??????? server services = -dns > ? > ??????? idmap_ldb:use rfc2307 = yes > ??????? idmap config * :backend = tdb > ??????? idmap config * :range = 2000-9999 > ??????? idmap config BAZRTD : backend = ad > ??????? idmap config BAZRTD : range = 10000-3999999 > ? > ??????? winbind nss info = rfc2307 > ??????? winbind trusted domains only = no > ??????? winbind use default domain = yesAside from "idmap config <DOMAIN> : schema_mode = rfc2307" pointed by Rowland, make sure you don't have overlapped UID's in idmap and SAM. -- With best regards, Andrey Repin Tuesday, April 28, 2015 23:13:15 Sorry for my terrible english...
L.P.H. van Belle
2015-Apr-29 07:30 UTC
[Samba] samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.
Hai Rowland / Andrey, that.. was a stupid one to miss.. that was because it was checking against defaults of samba, forgot to put that one back.. and yes, tested it also with, and im noticing the same. (different id's ) so.. back to winbind... and now id's are same again.. thanks. . and andrey, im using my sysvol scripts to set it up. have a look here, https://secure.bazuin.nl/scripts/ new version 1.0.5 for : 3-setup-sysvol-bidirectional.sh last changes.: # 2015-02-24: 1.0.4: corrected the mixed up of PATH and BASE in line 97 ( now really no more double sysvol ) # 2015-04-29: 1.0.5: added extra copy of idmap.ldb, to make sure the uids/gids on both servers are correct. # samba 4.2.1 did complain about wrong uid/gids in the sync. # copy of sysvol did not always work, fixed it, # removed the copy of sysvol on dc2, due to above fixed not needed anymore. # added notification, when using samba 4.2 and winbindd, which is not supported, due to different ids # even when idmap.ldb is copied. # Greetz, Louis>-----Oorspronkelijk bericht----- >Van: Andrey Repin [mailto:anrdaemon at yandex.ru] >Verzonden: dinsdag 28 april 2015 22:16 >Aan: L.P.H. van Belle; samba at lists.samba.org >Onderwerp: Re: [Samba] samba 4.2.1 copy idmap...and problems >with bi-directional sysvolsync. > >Greetings, L.P.H. van Belle! > >> Im try to get my id for administrator groups on both server the same. >> ? >> with?4.1.17 the solution was simple.. >> we stop samba on both servers. >> scp /var/lib/samba/private/idmap.ldb >root at 192.168.0.2:/var/lib/samba/private/ >> ? >> started samba, and the id's where the same. >> ? >> Im using winbindd now with samba 4.2.1 >> but... >> ? >> DC1:? id administrator >> uid=0(root) gid=100(users) >groups=0(root),100(users),3000004(group policy >> creator owners),3000006(enterprise admins), >> 3000008(domain admins),3000007(schema admins),3000005(denied >rodc password >> replication group),3000009(BUILTIN\users), >> 3000000(BUILTIN\administrators) > >> id administrator >> uid=0(root) gid=100(users) >groups=0(root),100(users),3000011(group policy >> creator owners),3000010(enterprise admins), >> 3000007(domain admins),3000009(schema admins),3000008(denied >rodc password >> replication group),3000001(BUILTIN\users), >> 3000000(BUILTIN\administrators) > >Louis... welcome to my everyday nightmare for the past month. > >> see the differences here.. >> ? >> What am i missing.. >> Because of this the bi-directional sysvol sync does not works ok !! > >How exactly you are syncing it? > ? >> config used : >> # Global parameters >> [global] >> ??????? workgroup = BAZRTD >> ??????? realm = ROTTERDAM.BAZUIN.NL >> ??????? netbios name = RTD-DC2 >> ??????? server role = active directory domain controller >> ??????? server services = -dns >> ? >> ??????? idmap_ldb:use rfc2307 = yes >> ??????? idmap config * :backend = tdb >> ??????? idmap config * :range = 2000-9999 >> ??????? idmap config BAZRTD : backend = ad >> ??????? idmap config BAZRTD : range = 10000-3999999 >> ? >> ??????? winbind nss info = rfc2307 >> ??????? winbind trusted domains only = no >> ??????? winbind use default domain = yes > >Aside from "idmap config <DOMAIN> : schema_mode = rfc2307" >pointed by Rowland, >make sure you don't have overlapped UID's in idmap and SAM. > > >-- >With best regards, >Andrey Repin >Tuesday, April 28, 2015 23:13:15 > >Sorry for my terrible english... >
Rowland Penny
2015-Apr-29 07:41 UTC
[Samba] samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.
On 29/04/15 08:30, L.P.H. van Belle wrote:> Hai Rowland / Andrey, > > > that.. was a stupid one to miss.. > that was because it was checking against defaults of samba, forgot to put that one back.. > and yes, tested it also with, and im noticing the same. (different id's ) > so.. back to winbind... and now id's are same again.. > > thanks. . > > and andrey, im using my sysvol scripts to set it up. > have a look here, https://secure.bazuin.nl/scripts/ > > new version 1.0.5 for : 3-setup-sysvol-bidirectional.sh > > last changes.: > # 2015-02-24: 1.0.4: corrected the mixed up of PATH and BASE in line 97 ( now really no more double sysvol ) > # 2015-04-29: 1.0.5: added extra copy of idmap.ldb, to make sure the uids/gids on both servers are correct. > # samba 4.2.1 did complain about wrong uid/gids in the sync. > # copy of sysvol did not always work, fixed it, > # removed the copy of sysvol on dc2, due to above fixed not needed anymore. > # added notification, when using samba 4.2 and winbindd, which is not supported, due to different ids > # even when idmap.ldb is copied. > # > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: Andrey Repin [mailto:anrdaemon at yandex.ru] >> Verzonden: dinsdag 28 april 2015 22:16 >> Aan: L.P.H. van Belle; samba at lists.samba.org >> Onderwerp: Re: [Samba] samba 4.2.1 copy idmap...and problems >> with bi-directional sysvolsync. >> >> Greetings, L.P.H. van Belle! >> >>> Im try to get my id for administrator groups on both server the same. >>> >>> with 4.1.17 the solution was simple.. >>> we stop samba on both servers. >>> scp /var/lib/samba/private/idmap.ldb >> root at 192.168.0.2:/var/lib/samba/private/ >>> >>> started samba, and the id's where the same. >>> >>> Im using winbindd now with samba 4.2.1 >>> but... >>> >>> DC1: id administrator >>> uid=0(root) gid=100(users) >> groups=0(root),100(users),3000004(group policy >>> creator owners),3000006(enterprise admins), >>> 3000008(domain admins),3000007(schema admins),3000005(denied >> rodc password >>> replication group),3000009(BUILTIN\users), >>> 3000000(BUILTIN\administrators) >>> id administrator >>> uid=0(root) gid=100(users) >> groups=0(root),100(users),3000011(group policy >>> creator owners),3000010(enterprise admins), >>> 3000007(domain admins),3000009(schema admins),3000008(denied >> rodc password >>> replication group),3000001(BUILTIN\users), >>> 3000000(BUILTIN\administrators) >> Louis... welcome to my everyday nightmare for the past month. >> >>> see the differences here.. >>> >>> What am i missing.. >>> Because of this the bi-directional sysvol sync does not works ok !! >> How exactly you are syncing it? >> >>> config used : >>> # Global parameters >>> [global] >>> workgroup = BAZRTD >>> realm = ROTTERDAM.BAZUIN.NL >>> netbios name = RTD-DC2 >>> server role = active directory domain controller >>> server services = -dns >>> >>> idmap_ldb:use rfc2307 = yes >>> idmap config * :backend = tdb >>> idmap config * :range = 2000-9999 >>> idmap config BAZRTD : backend = ad >>> idmap config BAZRTD : range = 10000-3999999 >>> >>> winbind nss info = rfc2307 >>> winbind trusted domains only = no >>> winbind use default domain = yes >> Aside from "idmap config <DOMAIN> : schema_mode = rfc2307" >> pointed by Rowland, >> make sure you don't have overlapped UID's in idmap and SAM. >> >> >> -- >> With best regards, >> Andrey Repin >> Tuesday, April 28, 2015 23:13:15 >> >> Sorry for my terrible english... >>OK Louis, you can confirm that you get different IDs between DCs when using 'winbindd', so you should have logs that show this, so will you please log a bug report. Rowland
Possibly Parallel Threads
- samba 4.2.1 copy idmap...and problems with bi-directional sysvolsync.
- Strange GPO rights samba 4.2.1
- FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..
- Corrupted idmap...
- FW: [Bug 11241] different ids even when idmap.ldb copied. not abug..