Hello! I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as Fileserver, until now all ok, but I'm one doubts, how to validate that in both servers the domain IDs of the users of this identical, a simple way to do this validation? I wanted to make sure it is a DC die fileserver has to go 100%. thank you
You can try to do it with the unix tab in rsat on the master dc (as I did) . Both DCs have the same ids. On your memberservers this will be mapped by winbind(d) EX: [root at s4master ~]# id tester uid=90000(TPLK\tester) gid=100(users) Gruppen=100(users),3000051(TPLK\TerminalServer User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schreiben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(TPLK\HS3) [root at s4slave ~]# id tester uid=90000(TPLK\tester) gid=100(users) Gruppen=100(users),3000051(TPLK\TerminalServer User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schreiben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(TPLK\HS3) winbind(d) mapping the same ids on 2 memberservers: [root at centclust1 ~]# id tester uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),1643(terminalserver user),1630(orbis),1620(direktionv),4000001(BUILTIN\users) [root at centclust2 ~]# id tester uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640(schreiben),1643(terminalserver user),1620(direktionv),100001(BUILTIN\users) EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: mueller at tropenklinik.de Internet: www.tropenklinik.de -----Ursprüngliche Nachricht----- Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] Gesendet: Freitag, 29. Januar 2016 00:43 An: samba at lists.samba.org Betreff: [Samba] Validate Ids Multiple DC Hello! I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as Fileserver, until now all ok, but I'm one doubts, how to validate that in both servers the domain IDs of the users of this identical, a simple way to do this validation? I wanted to make sure it is a DC die fileserver has to go 100%. thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
If you add the "not" supported winbind options from the member also to the DCs, then you will have the same resulting uid on all servers. Official not supported, but works now for more then a year here. ( sernet samba 4.2.7 on debian wheezy ) This is my addition to the smb.conf on the DC. ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOMAIN : backend = ad idmap config NTDOMAIN : schema_mode = rfc2307 idmap config NTDOMAIN : range = 10000-3999999 # Use home directory and shell information from AD winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind expand groups = 4 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller > Verzonden: vrijdag 29 januari 2016 9:21 > Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > You can try to do it with the unix tab in rsat on the master dc (as I did) > . Both DCs have the same ids. > On your memberservers this will be mapped by winbind(d) > EX: > > [root at s4master ~]# id tester > uid=90000(TPLK\tester) gid=100(users) > Gruppen=100(users),3000051(TPLK\TerminalServer > User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre > iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( > TPLK\HS3) > > [root at s4slave ~]# id tester > uid=90000(TPLK\tester) gid=100(users) > Gruppen=100(users),3000051(TPLK\TerminalServer > User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre > iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( > TPLK\HS3) > > winbind(d) mapping the same ids on 2 memberservers: > [root at centclust1 ~]# id tester > uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain > users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege), > 1643(terminalserver > user),1630(orbis),1620(direktionv),4000001(BUILTIN\users) > > > [root at centclust2 ~]# id tester > uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain > users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640 > (schreiben),1643(terminalserver > user),1620(direktionv),100001(BUILTIN\users) > > > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > > > > > -----Ursprüngliche Nachricht----- > Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] > Gesendet: Freitag, 29. Januar 2016 00:43 > An: samba at lists.samba.org > Betreff: [Samba] Validate Ids Multiple DC > > Hello! > I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as > Fileserver, until now all ok, but I'm one doubts, how to validate that in > both servers the domain IDs of the users of this identical, a simple way > to do this validation? > I wanted to make sure it is a DC die fileserver has to go 100%. > thank you > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 29/01/16 08:59, L.P.H. van Belle wrote:> If you add the "not" supported winbind options from the member also to the DCs, then you will have the same resulting uid on all servers. > > Official not supported, but works now for more then a year here. > ( sernet samba 4.2.7 on debian wheezy ) > > This is my addition to the smb.conf on the DC. > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > ## map ids from the domain and (*) the range may not overlap ! > idmap config NTDOMAIN : backend = ad > idmap config NTDOMAIN : schema_mode = rfc2307 > idmap config NTDOMAIN : range = 10000-3999999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > winbind trusted domains only = no > winbind use default domain = yes > winbind expand groups = 4 > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller >> Verzonden: vrijdag 29 januari 2016 9:21 >> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org >> Onderwerp: Re: [Samba] Validate Ids Multiple DC >> >> You can try to do it with the unix tab in rsat on the master dc (as I did) >> . Both DCs have the same ids. >> On your memberservers this will be mapped by winbind(d) >> EX: >> >> [root at s4master ~]# id tester >> uid=90000(TPLK\tester) gid=100(users) >> Gruppen=100(users),3000051(TPLK\TerminalServer >> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre >> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( >> TPLK\HS3) >> >> [root at s4slave ~]# id tester >> uid=90000(TPLK\tester) gid=100(users) >> Gruppen=100(users),3000051(TPLK\TerminalServer >> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre >> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( >> TPLK\HS3) >> >> winbind(d) mapping the same ids on 2 memberservers: >> [root at centclust1 ~]# id tester >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain >> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege), >> 1643(terminalserver >> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users) >> >> >> [root at centclust2 ~]# id tester >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain >> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640 >> (schreiben),1643(terminalserver >> user),1620(direktionv),100001(BUILTIN\users) >> >> >> EDV Daniel Müller >> >> Leitung EDV >> Tropenklinik Paul-Lechler-Krankenhaus >> Paul-Lechler-Str. 24 >> 72076 Tübingen >> Tel.: 07071/206-463, Fax: 07071/206-499 >> eMail: mueller at tropenklinik.de >> Internet: www.tropenklinik.de >> >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] >> Gesendet: Freitag, 29. Januar 2016 00:43 >> An: samba at lists.samba.org >> Betreff: [Samba] Validate Ids Multiple DC >> >> Hello! >> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as >> Fileserver, until now all ok, but I'm one doubts, how to validate that in >> both servers the domain IDs of the users of this identical, a simple way >> to do this validation? >> I wanted to make sure it is a DC die fileserver has to go 100%. >> thank you >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >Hi Louis, you keep saying adding the domain member lines to a DC works for you, so I thought it was time I tried them again. This is before adding the lines: root at testdc1:~# getent passwd rowland HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false Now add the lines to smb.conf: ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config HOME : backend = ad idmap config HOME : schema_mode = rfc2307 idmap config HOME : range = 10000-3999999 # Use home directory and shell information from AD winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind expand groups = 4 Ran 'net cache flush' and then 'service samba-ad-dc restart' Checked again: root at testdc1:~# getent passwd rowland HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false Absolutely no difference, this is with Samba 4.3.3 Rowland
Hai Rowland. What you tried is ok, or im misunderstanding you. For me : All members give me. getent passwd myuser myuser:*:10002:10000::/home/users/myuser:/bin/bash id myuser uid=10002(myuser) gid=10000(domain users) the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17 and on the DCs. ( only sernet samba 4.2.7 ) getent passwd myuser myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash id myuser uid=10002(myuser) gid=10000(domain users) forgot to mention 1 restriction. In the DC's i also have template shell = /bin/bash template homedir = /home/users/%U The restriction is that you must use above shell and homedirs for all you users and must be the same in the AD unix tab. The GECOS is different, but who uses that.. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 29 januari 2016 12:42 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > On 29/01/16 08:59, L.P.H. van Belle wrote: > > If you add the "not" supported winbind options from the member also to > the DCs, then you will have the same resulting uid on all servers. > > > > Official not supported, but works now for more then a year here. > > ( sernet samba 4.2.7 on debian wheezy ) > > > > This is my addition to the smb.conf on the DC. > > ## map id's outside to domain to tdb files. > > idmap config * : backend = tdb > > idmap config * : range = 2000-9999 > > ## map ids from the domain and (*) the range may not overlap ! > > idmap config NTDOMAIN : backend = ad > > idmap config NTDOMAIN : schema_mode = rfc2307 > > idmap config NTDOMAIN : range = 10000-3999999 > > > > # Use home directory and shell information from AD > > winbind nss info = rfc2307 > > > > winbind trusted domains only = no > > winbind use default domain = yes > > winbind expand groups = 4 > > > > > > Greetz, > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller > >> Verzonden: vrijdag 29 januari 2016 9:21 > >> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org > >> Onderwerp: Re: [Samba] Validate Ids Multiple DC > >> > >> You can try to do it with the unix tab in rsat on the master dc (as I > did) > >> . Both DCs have the same ids. > >> On your memberservers this will be mapped by winbind(d) > >> EX: > >> > >> [root at s4master ~]# id tester > >> uid=90000(TPLK\tester) gid=100(users) > >> Gruppen=100(users),3000051(TPLK\TerminalServer > >> > User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre > >> > iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( > >> TPLK\HS3) > >> > >> [root at s4slave ~]# id tester > >> uid=90000(TPLK\tester) gid=100(users) > >> Gruppen=100(users),3000051(TPLK\TerminalServer > >> > User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre > >> > iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( > >> TPLK\HS3) > >> > >> winbind(d) mapping the same ids on 2 memberservers: > >> [root at centclust1 ~]# id tester > >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain > >> > users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege), > >> 1643(terminalserver > >> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users) > >> > >> > >> [root at centclust2 ~]# id tester > >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain > >> > users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640 > >> (schreiben),1643(terminalserver > >> user),1620(direktionv),100001(BUILTIN\users) > >> > >> > >> EDV Daniel Müller > >> > >> Leitung EDV > >> Tropenklinik Paul-Lechler-Krankenhaus > >> Paul-Lechler-Str. 24 > >> 72076 Tübingen > >> Tel.: 07071/206-463, Fax: 07071/206-499 > >> eMail: mueller at tropenklinik.de > >> Internet: www.tropenklinik.de > >> > >> > >> > >> > >> -----Ursprüngliche Nachricht----- > >> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] > >> Gesendet: Freitag, 29. Januar 2016 00:43 > >> An: samba at lists.samba.org > >> Betreff: [Samba] Validate Ids Multiple DC > >> > >> Hello! > >> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as > >> Fileserver, until now all ok, but I'm one doubts, how to validate that > in > >> both servers the domain IDs of the users of this identical, a simple > way > >> to do this validation? > >> I wanted to make sure it is a DC die fileserver has to go 100%. > >> thank you > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > > > > Hi Louis, you keep saying adding the domain member lines to a DC works > for you, so I thought it was time I tried them again. > > This is before adding the lines: > > root at testdc1:~# getent passwd rowland > HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false > > Now add the lines to smb.conf: > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > ## map ids from the domain and (*) the range may not overlap ! > idmap config HOME : backend = ad > idmap config HOME : schema_mode = rfc2307 > idmap config HOME : range = 10000-3999999 > > # Use home directory and shell information from AD > winbind nss info = rfc2307 > > winbind trusted domains only = no > winbind use default domain = yes > winbind expand groups = 4 > > Ran 'net cache flush' and then 'service samba-ad-dc restart' > > Checked again: > > root at testdc1:~# getent passwd rowland > HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false > > Absolutely no difference, this is with Samba 4.3.3 > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba