samba - Jun 2015 - idmap & migration to rfc2307

On 13/06/15 16:33, Jonathan Hunter wrote:
> Hi buhorojo,
>
> I *think* I have a stable system for the moment... so thank you :-)
>
> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at gmail.com> wrote:
>>> I now set in smb.conf:
>>>
>>>           server services = -dns +winbind -winbindd
>>>
>>> I stopped samba, then removed databases:
>>>
>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>>     /usr/local/samba/var/lock/gencache_notrans.tdb \
>> Restore this:
>>>     /usr/local/samba/private/idmap.ldb
> I have the following in smb.conf:
>          server services = -dns +winbind -winbindd
>          idmap_ldb:use rfc2307 = yes
> and no 'winbind' lines anywhere.
>
> I removed /usr/local/samba/var/cache/gencache.tdb and
> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
> /usr/local/samba/private/idmap.ldb (copied from other DC)
>
> Now, when starting samba, I see stable connections using the correct
> UID, even after some time:
>
> # smbstatus
> [....]
> Locked files:
> Pid          Uid        DenyMode   Access      R/W        Oplock
>      SharePath   Name   Time
>
--------------------------------------------------------------------------------------------------
> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>      /data/sharename   .   Sat Jun 13 12:58:52 2015
> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>      /home/auser Documents   Sat Jun 13 15:44:42 2015
> 7330         41012      DENY_NONE  0x100081    RDONLY     NONE
>      /data/anothershare   .   Sat Jun 13 16:25:40 2015
> 22048        41001      DENY_ALL   0x100080    RDONLY     NONE
>      /home   .   Sat Jun 13 13:01:03 2015
>
> There is nothing shown at all in 'net cache list'; I guess this is
> fine (certainly, things seem to work at the moment)
>
> Looks like a working minimal configuration for file serving from a DC
> is the following, then:
> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use some
> kind of algorithmic mapping, ideally sssd's logic, but any really!)
> - use sssd with 'ldap_id_mapping = False', and specify
'sss' for
> passwd and group in /etc/nsswitch.conf
> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
> - Add '+winbind -winbindd' to 'server services =' in
smb.conf
>
>
OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1

These are running as a test domain with two DCs, both are using the 
built-in dns server and winbindd.

If I check smb.conf on both DCs:

root at testdc1:~# cat /etc/samba/smb.conf
# Global parameters
[global]
     workgroup = SAMBADOM
     realm = SAMBADOM.EXAMPLE.COM
     netbios name = TESTDC1
     server role = active directory domain controller
     dns forwarder = 8.8.8.8
     idmap_ldb:use rfc2307 = yes
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

[netlogon]
     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

root at testdc2:~# cat /etc/samba/smb.conf
# Global parameters
[global]
     workgroup = SAMBADOM
     realm = SAMBADOM.EXAMPLE.COM
     netbios name = TESTDC2
     server role = active directory domain controller
     dns forwarder = 8.8.8.8
     idmap_ldb:use rfc2307 = yes
     load printers = no
     printing = bsd
     printcap name = /dev/null
     disable spoolss = yes

[netlogon]
     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

They are both Identical apart from the 'netbios name'

Checking 'server services' give this:

root at testdc1:~# samba-tool testparm -v | grep 'server services'

     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate, dns

/etc/nsswitch.conf on both machines have these two lines:

passwd:         compat winbind
group:          compat winbind

If I check what is running:

root at testdc1:~# ps ax | grep '/usr/sbin' | grep "\-D"
  2446 ?        Ss     0:00 /usr/sbin/samba -D
  2637 ?        S      0:00 /usr/sbin/samba -D
  2638 ?        S      0:02 /usr/sbin/samba -D
  2639 ?        Ss     0:00 /usr/sbin/smbd -D --option=server role 
check:inhibit=yes --foreground
  2640 ?        S      0:00 /usr/sbin/samba -D
  2641 ?        S      0:00 /usr/sbin/samba -D
  2642 ?        S      0:00 /usr/sbin/samba -D
  2643 ?        S      0:00 /usr/sbin/samba -D
  2644 ?        S      0:00 /usr/sbin/samba -D
  2645 ?        S      0:02 /usr/sbin/samba -D
  2646 ?        S      0:00 /usr/sbin/samba -D
  2647 ?        S      0:00 /usr/sbin/samba -D
  2648 ?        S      0:00 /usr/sbin/samba -D
  2649 ?        S      0:00 /usr/sbin/samba -D
  2650 ?        S      0:00 /usr/sbin/samba -D
  2651 ?        Ss     0:00 /usr/sbin/winbindd -D --option=server role 
check:inhibit=yes --foreground
  2654 ?        S      0:00 /usr/sbin/winbindd -D --option=server role 
check:inhibit=yes --foreground
  2755 ?        S      0:00 /usr/sbin/winbindd -D --option=server role 
check:inhibit=yes --foreground

If I check a couple of users, one with a uidNumber & gidNumber, the 
other without:

root at testdc1:~# getent passwd user1
user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
root at testdc1:~# getent passwd user2
user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false

Do the same on the other DC:

root at testdc2:~# getent passwd user1
user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# cat /etc/samba/smb.conf

As you can see, the one with the RFC2307 attributes gives the same 
result on both machines, the other gives different uidNumbers.

If I now give the second user the required RFC2307 attributes:

root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom 
--login-shell=/bin/bash --unix-home=/home/user2
User 'user2' updated successfully

Try again:

root at testdc1:~# getent passwd user2
user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc1:~# net cache flush
root at testdc1:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false

And on the other DC:

root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# net cache flush
root at testdc2:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false

This way of mapping hasn't changed with the replacement of the
'winbind'
built into the samba daemon with the separate 'winbindd' daemon.

Rowland

On 13/06/15 20:13, Rowland Penny wrote:
> If I check a couple of users
Out of a total of how many?

Thank you Rowland - really clear example and explanation.
>From your example, this is what I would see, once the RFC2307
attributes had been added:

root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
root at testdc2:~# net cache flush
root at testdc2:~# getent passwd user2
user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
[ ... wait some period of time ... ]
root at testdc2:~# getent passwd user2
user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false

I have now worked around this by not using winbindd at all ('server
services = -winbindd +winbind'), and by using sssd for the local
machine via NSS... but I have a feeling that this may actually be a
bug :-(

On 13 June 2015 at 19:13, Rowland Penny <rowlandpenny at googlemail.com>
wrote:
> On 13/06/15 16:33, Jonathan Hunter wrote:
>>
>> Hi buhorojo,
>>
>> I *think* I have a stable system for the moment... so thank you :-)
>>
>> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at gmail.com>
wrote:
>>>>
>>>> I now set in smb.conf:
>>>>
>>>>           server services = -dns +winbind -winbindd
>>>>
>>>> I stopped samba, then removed databases:
>>>>
>>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>>>     /usr/local/samba/var/lock/gencache_notrans.tdb \
>>>
>>> Restore this:
>>>>
>>>>     /usr/local/samba/private/idmap.ldb
>>
>> I have the following in smb.conf:
>>          server services = -dns +winbind -winbindd
>>          idmap_ldb:use rfc2307 = yes
>> and no 'winbind' lines anywhere.
>>
>> I removed /usr/local/samba/var/cache/gencache.tdb and
>> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
>> /usr/local/samba/private/idmap.ldb (copied from other DC)
>>
>> Now, when starting samba, I see stable connections using the correct
>> UID, even after some time:
>>
>> # smbstatus
>> [....]
>> Locked files:
>> Pid          Uid        DenyMode   Access      R/W        Oplock
>>      SharePath   Name   Time
>>
>>
--------------------------------------------------------------------------------------------------
>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>      /data/sharename   .   Sat Jun 13 12:58:52 2015
>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>      /home/auser Documents   Sat Jun 13 15:44:42 2015
>> 7330         41012      DENY_NONE  0x100081    RDONLY     NONE
>>      /data/anothershare   .   Sat Jun 13 16:25:40 2015
>> 22048        41001      DENY_ALL   0x100080    RDONLY     NONE
>>      /home   .   Sat Jun 13 13:01:03 2015
>>
>> There is nothing shown at all in 'net cache list'; I guess this
is
>> fine (certainly, things seem to work at the moment)
>>
>> Looks like a working minimal configuration for file serving from a DC
>> is the following, then:
>> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use some
>> kind of algorithmic mapping, ideally sssd's logic, but any really!)
>> - use sssd with 'ldap_id_mapping = False', and specify
'sss' for
>> passwd and group in /etc/nsswitch.conf
>> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
>> - Add '+winbind -winbindd' to 'server services =' in
smb.conf
>>
>>
>
> OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1
>
> These are running as a test domain with two DCs, both are using the
built-in
> dns server and winbindd.
>
> If I check smb.conf on both DCs:
>
> root at testdc1:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>     workgroup = SAMBADOM
>     realm = SAMBADOM.EXAMPLE.COM
>     netbios name = TESTDC1
>     server role = active directory domain controller
>     dns forwarder = 8.8.8.8
>     idmap_ldb:use rfc2307 = yes
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
> [netlogon]
>     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>     read only = No
>
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
>
> root at testdc2:~# cat /etc/samba/smb.conf
> # Global parameters
> [global]
>     workgroup = SAMBADOM
>     realm = SAMBADOM.EXAMPLE.COM
>     netbios name = TESTDC2
>     server role = active directory domain controller
>     dns forwarder = 8.8.8.8
>     idmap_ldb:use rfc2307 = yes
>     load printers = no
>     printing = bsd
>     printcap name = /dev/null
>     disable spoolss = yes
>
> [netlogon]
>     path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>     read only = No
>
> [sysvol]
>     path = /var/lib/samba/sysvol
>     read only = No
>
> They are both Identical apart from the 'netbios name'
>
> Checking 'server services' give this:
>
> root at testdc1:~# samba-tool testparm -v | grep 'server services'
>
>     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate, dns
>
> /etc/nsswitch.conf on both machines have these two lines:
>
> passwd:         compat winbind
> group:          compat winbind
>
> If I check what is running:
>
> root at testdc1:~# ps ax | grep '/usr/sbin' | grep "\-D"
>  2446 ?        Ss     0:00 /usr/sbin/samba -D
>  2637 ?        S      0:00 /usr/sbin/samba -D
>  2638 ?        S      0:02 /usr/sbin/samba -D
>  2639 ?        Ss     0:00 /usr/sbin/smbd -D --option=server role
> check:inhibit=yes --foreground
>  2640 ?        S      0:00 /usr/sbin/samba -D
>  2641 ?        S      0:00 /usr/sbin/samba -D
>  2642 ?        S      0:00 /usr/sbin/samba -D
>  2643 ?        S      0:00 /usr/sbin/samba -D
>  2644 ?        S      0:00 /usr/sbin/samba -D
>  2645 ?        S      0:02 /usr/sbin/samba -D
>  2646 ?        S      0:00 /usr/sbin/samba -D
>  2647 ?        S      0:00 /usr/sbin/samba -D
>  2648 ?        S      0:00 /usr/sbin/samba -D
>  2649 ?        S      0:00 /usr/sbin/samba -D
>  2650 ?        S      0:00 /usr/sbin/samba -D
>  2651 ?        Ss     0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>  2654 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>  2755 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>
> If I check a couple of users, one with a uidNumber & gidNumber, the
other
> without:
>
> root at testdc1:~# getent passwd user1
> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
> root at testdc1:~# getent passwd user2
> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> Do the same on the other DC:
>
> root at testdc2:~# getent passwd user1
> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# cat /etc/samba/smb.conf
>
> As you can see, the one with the RFC2307 attributes gives the same result
on
> both machines, the other gives different uidNumbers.
>
> If I now give the second user the required RFC2307 attributes:
>
> root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom
> --login-shell=/bin/bash --unix-home=/home/user2
> User 'user2' updated successfully
>
> Try again:
>
> root at testdc1:~# getent passwd user2
> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc1:~# net cache flush
> root at testdc1:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> And on the other DC:
>
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# net cache flush
> root at testdc2:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> This way of mapping hasn't changed with the replacement of the
'winbind'
> built into the samba daemon with the separate 'winbindd' daemon.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

On 14/06/15 03:20, Jonathan Hunter wrote:
> Thank you Rowland - really clear example and explanation.
>
>  From your example, this is what I would see, once the RFC2307
> attributes had been added:
>
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> root at testdc2:~# net cache flush
> root at testdc2:~# getent passwd user2
> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
> [ ... wait some period of time ... ]
> root at testdc2:~# getent passwd user2
> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>
> I have now worked around this by not using winbindd at all ('server
> services = -winbindd +winbind'), and by using sssd for the local
> machine via NSS... but I have a feeling that this may actually be a
> bug :-(
>
> On 13 June 2015 at 19:13, Rowland Penny <rowlandpenny at
googlemail.com> wrote:
>> On 13/06/15 16:33, Jonathan Hunter wrote:
>>> Hi buhorojo,
>>>
>>> I *think* I have a stable system for the moment... so thank you :-)
>>>
>>> On 13 June 2015 at 12:50, buhorojo <buhorojo.lcb at
gmail.com> wrote:
>>>>> I now set in smb.conf:
>>>>>
>>>>>            server services = -dns +winbind -winbindd
>>>>>
>>>>> I stopped samba, then removed databases:
>>>>>
>>>>> # rm /usr/local/samba/var/cache/gencache.tdb \
>>>>>      /usr/local/samba/var/lock/gencache_notrans.tdb \
>>>> Restore this:
>>>>>      /usr/local/samba/private/idmap.ldb
>>> I have the following in smb.conf:
>>>           server services = -dns +winbind -winbindd
>>>           idmap_ldb:use rfc2307 = yes
>>> and no 'winbind' lines anywhere.
>>>
>>> I removed /usr/local/samba/var/cache/gencache.tdb and
>>> /usr/local/samba/var/cache/gencache_notrans.tdb, and kept
>>> /usr/local/samba/private/idmap.ldb (copied from other DC)
>>>
>>> Now, when starting samba, I see stable connections using the
correct
>>> UID, even after some time:
>>>
>>> # smbstatus
>>> [....]
>>> Locked files:
>>> Pid          Uid        DenyMode   Access      R/W        Oplock
>>>       SharePath   Name   Time
>>>
>>>
--------------------------------------------------------------------------------------------------
>>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>>       /data/sharename   .   Sat Jun 13 12:58:52 2015
>>> 14717        41000      DENY_NONE  0x100081    RDONLY     NONE
>>>       /home/auser Documents   Sat Jun 13 15:44:42 2015
>>> 7330         41012      DENY_NONE  0x100081    RDONLY     NONE
>>>       /data/anothershare   .   Sat Jun 13 16:25:40 2015
>>> 22048        41001      DENY_ALL   0x100080    RDONLY     NONE
>>>       /home   .   Sat Jun 13 13:01:03 2015
>>>
>>> There is nothing shown at all in 'net cache list'; I guess
this is
>>> fine (certainly, things seem to work at the moment)
>>>
>>> Looks like a working minimal configuration for file serving from a
DC
>>> is the following, then:
>>> - use rfc2307 UIDs (sadly, this is a must - I *wish* I could use
some
>>> kind of algorithmic mapping, ideally sssd's logic, but any
really!)
>>> - use sssd with 'ldap_id_mapping = False', and specify
'sss' for
>>> passwd and group in /etc/nsswitch.conf
>>> - Specify 'idmap_ldb:use rfc2307 = yes' in smb.conf
>>> - Add '+winbind -winbindd' to 'server services ='
in smb.conf
>>>
>>>
>> OK, I have a couple VMs running Debian Wheezy with Sernet Samba 4.2.1
>>
>> These are running as a test domain with two DCs, both are using the
built-in
>> dns server and winbindd.
>>
>> If I check smb.conf on both DCs:
>>
>> root at testdc1:~# cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>>      workgroup = SAMBADOM
>>      realm = SAMBADOM.EXAMPLE.COM
>>      netbios name = TESTDC1
>>      server role = active directory domain controller
>>      dns forwarder = 8.8.8.8
>>      idmap_ldb:use rfc2307 = yes
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [netlogon]
>>      path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>>      read only = No
>>
>> [sysvol]
>>      path = /var/lib/samba/sysvol
>>      read only = No
>>
>> root at testdc2:~# cat /etc/samba/smb.conf
>> # Global parameters
>> [global]
>>      workgroup = SAMBADOM
>>      realm = SAMBADOM.EXAMPLE.COM
>>      netbios name = TESTDC2
>>      server role = active directory domain controller
>>      dns forwarder = 8.8.8.8
>>      idmap_ldb:use rfc2307 = yes
>>      load printers = no
>>      printing = bsd
>>      printcap name = /dev/null
>>      disable spoolss = yes
>>
>> [netlogon]
>>      path = /var/lib/samba/sysvol/sambadom.example.com/scripts
>>      read only = No
>>
>> [sysvol]
>>      path = /var/lib/samba/sysvol
>>      read only = No
>>
>> They are both Identical apart from the 'netbios name'
>>
>> Checking 'server services' give this:
>>
>> root at testdc1:~# samba-tool testparm -v | grep 'server
services'
>>
>>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate, dns
>>
>> /etc/nsswitch.conf on both machines have these two lines:
>>
>> passwd:         compat winbind
>> group:          compat winbind
>>
>> If I check what is running:
>>
>> root at testdc1:~# ps ax | grep '/usr/sbin' | grep
"\-D"
>>   2446 ?        Ss     0:00 /usr/sbin/samba -D
>>   2637 ?        S      0:00 /usr/sbin/samba -D
>>   2638 ?        S      0:02 /usr/sbin/samba -D
>>   2639 ?        Ss     0:00 /usr/sbin/smbd -D --option=server role
>> check:inhibit=yes --foreground
>>   2640 ?        S      0:00 /usr/sbin/samba -D
>>   2641 ?        S      0:00 /usr/sbin/samba -D
>>   2642 ?        S      0:00 /usr/sbin/samba -D
>>   2643 ?        S      0:00 /usr/sbin/samba -D
>>   2644 ?        S      0:00 /usr/sbin/samba -D
>>   2645 ?        S      0:02 /usr/sbin/samba -D
>>   2646 ?        S      0:00 /usr/sbin/samba -D
>>   2647 ?        S      0:00 /usr/sbin/samba -D
>>   2648 ?        S      0:00 /usr/sbin/samba -D
>>   2649 ?        S      0:00 /usr/sbin/samba -D
>>   2650 ?        S      0:00 /usr/sbin/samba -D
>>   2651 ?        Ss     0:00 /usr/sbin/winbindd -D --option=server role
>> check:inhibit=yes --foreground
>>   2654 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
>> check:inhibit=yes --foreground
>>   2755 ?        S      0:00 /usr/sbin/winbindd -D --option=server role
>> check:inhibit=yes --foreground
>>
>> If I check a couple of users, one with a uidNumber & gidNumber, the
other
>> without:
>>
>> root at testdc1:~# getent passwd user1
>> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
>> root at testdc1:~# getent passwd user2
>> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>>
>> Do the same on the other DC:
>>
>> root at testdc2:~# getent passwd user1
>> user1:*:10003:10000::/home/SAMBADOM/user1:/bin/false
>> root at testdc2:~# getent passwd user2
>> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>> root at testdc2:~# cat /etc/samba/smb.conf
>>
>> As you can see, the one with the RFC2307 attributes gives the same
result on
>> both machines, the other gives different uidNumbers.
>>
>> If I now give the second user the required RFC2307 attributes:
>>
>> root at testdc1:~# samba-tool user nisadd user2 --nis-domain=sambadom
>> --login-shell=/bin/bash --unix-home=/home/user2
>> User 'user2' updated successfully
>>
>> Try again:
>>
>> root at testdc1:~# getent passwd user2
>> user2:*:3000016:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>> root at testdc1:~# net cache flush
>> root at testdc1:~# getent passwd user2
>> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>>
>> And on the other DC:
>>
>> root at testdc2:~# getent passwd user2
>> user2:*:3000015:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>> root at testdc2:~# net cache flush
>> root at testdc2:~# getent passwd user2
>> user2:*:10004:10000:Jane Doe:/home/SAMBADOM/user2:/bin/false
>>
>> This way of mapping hasn't changed with the replacement of the
'winbind'
>> built into the samba daemon with the separate 'winbindd'
daemon.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>
I was trying to show that you do not need sssd to get consistent IDs, 
you just need to use the RFC2307 attributes. In fact you can use one or 
the other, you just shouldn't use both.
sssd, as you have found, uses a long number to identify a domain object 
when in 'rid' mode, unlike samba that uses 'DOMAIN\IDNUMBER', it
shouldn't matter which you use as long as you stick to just one.

Samba tries to discourage the use of a DC as a fileserver, one of the 
reasons being the problems you are having, you would not have these 
problems if you added a member server and used this for serving files. I 
also understand that this is easier said than done, in which case, you 
will have to work around any problems, as and when they occur.

It would seem that something is re-writing your winbind cache and this 
could be hard to track down. The first thing I would do is to turn off 
selinux, just in case this is the problem, though this usually manifests 
itself in not being allowed to do something, rather than doing 
something. I would then investigate if replication is working correctly, 
is AD the same on both DCs (you can use ldapcmp to do this). You should 
be aware that unless your users log into a DC, it doesn't really matter 
what ID number they have on that DC.

Rowland