Hai Rowland.
What you tried is ok, or im misunderstanding you.
For me :
All members give me.
getent passwd myuser
myuser:*:10002:10000::/home/users/myuser:/bin/bash
id myuser
uid=10002(myuser) gid=10000(domain users)
the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17
and on the DCs. ( only sernet samba 4.2.7 )
getent passwd myuser
myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash
id myuser
uid=10002(myuser) gid=10000(domain users)
forgot to mention 1 restriction.
In the DC's i also have
template shell = /bin/bash
template homedir = /home/users/%U
The restriction is that you must use above shell and homedirs for all you users
and must be the same in the AD unix tab.
The GECOS is different, but who uses that..
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: vrijdag 29 januari 2016 12:42
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Validate Ids Multiple DC
>
> On 29/01/16 08:59, L.P.H. van Belle wrote:
> > If you add the "not" supported winbind options from the
member also to
> the DCs, then you will have the same resulting uid on all servers.
> >
> > Official not supported, but works now for more then a year here.
> > ( sernet samba 4.2.7 on debian wheezy )
> >
> > This is my addition to the smb.conf on the DC.
> > ## map id's outside to domain to tdb files.
> > idmap config * : backend = tdb
> > idmap config * : range = 2000-9999
> > ## map ids from the domain and (*) the range may not overlap
!
> > idmap config NTDOMAIN : backend = ad
> > idmap config NTDOMAIN : schema_mode = rfc2307
> > idmap config NTDOMAIN : range = 10000-3999999
> >
> > # Use home directory and shell information from AD
> > winbind nss info = rfc2307
> >
> > winbind trusted domains only = no
> > winbind use default domain = yes
> > winbind expand groups = 4
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
Mueller
> >> Verzonden: vrijdag 29 januari 2016 9:21
> >> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Validate Ids Multiple DC
> >>
> >> You can try to do it with the unix tab in rsat on the master dc
(as I
> did)
> >> . Both DCs have the same ids.
> >> On your memberservers this will be mapped by winbind(d)
> >> EX:
> >>
> >> [root at s4master ~]# id tester
> >> uid=90000(TPLK\tester) gid=100(users)
> >> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >> TPLK\HS3)
> >>
> >> [root at s4slave ~]# id tester
> >> uid=90000(TPLK\tester) gid=100(users)
> >> Gruppen=100(users),3000051(TPLK\TerminalServer
> >>
> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre
> >>
> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(
> >> TPLK\HS3)
> >>
> >> winbind(d) mapping the same ids on 2 memberservers:
> >> [root at centclust1 ~]# id tester
> >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>
> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),
> >> 1643(terminalserver
> >> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)
> >>
> >>
> >> [root at centclust2 ~]# id tester
> >> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain
> >>
> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640
> >> (schreiben),1643(terminalserver
> >> user),1620(direktionv),100001(BUILTIN\users)
> >>
> >>
> >> EDV Daniel Müller
> >>
> >> Leitung EDV
> >> Tropenklinik Paul-Lechler-Krankenhaus
> >> Paul-Lechler-Str. 24
> >> 72076 Tübingen
> >> Tel.: 07071/206-463, Fax: 07071/206-499
> >> eMail: mueller at tropenklinik.de
> >> Internet: www.tropenklinik.de
> >>
> >>
> >>
> >>
> >> -----Ursprüngliche Nachricht-----
> >> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]
> >> Gesendet: Freitag, 29. Januar 2016 00:43
> >> An: samba at lists.samba.org
> >> Betreff: [Samba] Validate Ids Multiple DC
> >>
> >> Hello!
> >> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as
> >> Fileserver, until now all ok, but I'm one doubts, how to
validate that
> in
> >> both servers the domain IDs of the users of this identical, a
simple
> way
> >> to do this validation?
> >> I wanted to make sure it is a DC die fileserver has to go 100%.
> >> thank you
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
> Hi Louis, you keep saying adding the domain member lines to a DC works
> for you, so I thought it was time I tried them again.
>
> This is before adding the lines:
>
> root at testdc1:~# getent passwd rowland
> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
>
> Now add the lines to smb.conf:
>
> ## map id's outside to domain to tdb files.
> idmap config * : backend = tdb
> idmap config * : range = 2000-9999
> ## map ids from the domain and (*) the range may not overlap !
> idmap config HOME : backend = ad
> idmap config HOME : schema_mode = rfc2307
> idmap config HOME : range = 10000-3999999
>
> # Use home directory and shell information from AD
> winbind nss info = rfc2307
>
> winbind trusted domains only = no
> winbind use default domain = yes
> winbind expand groups = 4
>
> Ran 'net cache flush' and then 'service samba-ad-dc
restart'
>
> Checked again:
>
> root at testdc1:~# getent passwd rowland
> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false
>
> Absolutely no difference, this is with Samba 4.3.3
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
On 29/01/16 12:07, L.P.H. van Belle wrote:> Hai Rowland. > > What you tried is ok, or im misunderstanding you. > > For me : > All members give me. > getent passwd myuser > myuser:*:10002:10000::/home/users/myuser:/bin/bash > > id myuser > uid=10002(myuser) gid=10000(domain users) > > the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17 > > and on the DCs. ( only sernet samba 4.2.7 ) > > getent passwd myuser > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > id myuser > uid=10002(myuser) gid=10000(domain users) > > forgot to mention 1 restriction. > > In the DC's i also have > template shell = /bin/bash > template homedir = /home/users/%U > > The restriction is that you must use above shell and homedirs for all you users and must be the same in the AD unix tab. > > The GECOS is different, but who uses that.. > > > Greetz, > > Louis > > >OK, I get virtually the same replies as you, except for 'getent passwd rowland' I get: HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false I do not have the template lines in smb.conf As you can see I get 'DOMAIN\username' instead of just username, the only rfc2307 attributes I get from AD are the users uidNumber and the users primary group gidNumber. Are you sure that winbind on a DC uses the default domain ? Rowland
Hello Carlos. Fist please post to the list, this way everybody can help. The ids like : 3000036 are i think from a samba DC with RID setup. If you want to login also on the DC with for example SSH. Add also the template lines. Fix the idmap. net getdomainsid net idmap delete ranges YOURDOMAIN_SID restart the DC. And check again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] > Verzonden: vrijdag 29 januari 2016 15:14 > Aan: L.P.H. van Belle > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > Hello! > Obrgado the answers. > > My smb.conf now this well in both DC, but is still giving different IDs: > > > smb.conf > > # Global parameters > [global] > workgroup = SERVERAD > realm = mydomain > netbios name = DC-LINUX1(e DC-LINUX2) > server role = active directory domain controller > passdb backend = samba_dsdb > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > idmap_ldb:use rfc2307 = yes > kerberos method = system keytab > client ldap sasl wrapping = sign > allow dns updates = nonsecure and secure > nsupdate command = /usr/bin/nsupdate -g > > ## map id's outside to domain to tdb files. > idmap config * : backend = tdb > idmap config * : range = 2000-9999 > ### map ids from the domain and (*) the range may not overlap ! > idmap config SERVERAD : backend = ad > idmap config SERVERAD : schema_mode = rfc2307 > idmap config SERVERAD : range = 10000-3999999 > > ## Use home directory and shell information from AD > winbind nss info = rfc2307 > > winbind trusted domains only = no > winbind use default domain = yes > winbind expand groups = 4 > > # Disable Cups > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > DC-LINUX1 > > id userproxy01 > uid=3000370(SERVERAD\userproxy01) gid=100(users) > grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users) > > getent passwd userproxy01 > SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01: > /bin/false > > DC-LINUX2 > > id userproxy01 > uid=3000036(SERVERAD\userproxy01) gid=100(users) > grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users) > > getent passwd userproxy01 > SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01: > /bin/false > > > Thanks. > > Em 29-01-2016 10:07, L.P.H. van Belle escreveu: > > Hai Rowland. > > > > What you tried is ok, or im misunderstanding you. > > > > For me : > > All members give me. > > getent passwd myuser > > myuser:*:10002:10000::/home/users/myuser:/bin/bash > > > > id myuser > > uid=10002(myuser) gid=10000(domain users) > > > > the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17 > > > > and on the DCs. ( only sernet samba 4.2.7 ) > > > > getent passwd myuser > > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash > > > > id myuser > > uid=10002(myuser) gid=10000(domain users) > > > > forgot to mention 1 restriction. > > > > In the DC's i also have > > template shell = /bin/bash > > template homedir = /home/users/%U > > > > The restriction is that you must use above shell and homedirs for all > you users and must be the same in the AD unix tab. > > > > The GECOS is different, but who uses that.. > > > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > >> Verzonden: vrijdag 29 januari 2016 12:42 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Validate Ids Multiple DC > >> > >> On 29/01/16 08:59, L.P.H. van Belle wrote: > >>> If you add the "not" supported winbind options from the member also to > >> the DCs, then you will have the same resulting uid on all servers. > >>> Official not supported, but works now for more then a year here. > >>> ( sernet samba 4.2.7 on debian wheezy ) > >>> > >>> This is my addition to the smb.conf on the DC. > >>> ## map id's outside to domain to tdb files. > >>> idmap config * : backend = tdb > >>> idmap config * : range = 2000-9999 > >>> ## map ids from the domain and (*) the range may not overlap > ! > >>> idmap config NTDOMAIN : backend = ad > >>> idmap config NTDOMAIN : schema_mode = rfc2307 > >>> idmap config NTDOMAIN : range = 10000-3999999 > >>> > >>> # Use home directory and shell information from AD > >>> winbind nss info = rfc2307 > >>> > >>> winbind trusted domains only = no > >>> winbind use default domain = yes > >>> winbind expand groups = 4 > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller > >>>> Verzonden: vrijdag 29 januari 2016 9:21 > >>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC > >>>> > >>>> You can try to do it with the unix tab in rsat on the master dc (as I > >> did) > >>>> . Both DCs have the same ids. > >>>> On your memberservers this will be mapped by winbind(d) > >>>> EX: > >>>> > >>>> [root at s4master ~]# id tester > >>>> uid=90000(TPLK\tester) gid=100(users) > >>>> Gruppen=100(users),3000051(TPLK\TerminalServer > >>>> > >> > User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre > >> > iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( > >>>> TPLK\HS3) > >>>> > >>>> [root at s4slave ~]# id tester > >>>> uid=90000(TPLK\tester) gid=100(users) > >>>> Gruppen=100(users),3000051(TPLK\TerminalServer > >>>> > >> > User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre > >> > iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( > >>>> TPLK\HS3) > >>>> > >>>> winbind(d) mapping the same ids on 2 memberservers: > >>>> [root at centclust1 ~]# id tester > >>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain > >>>> > >> > users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege), > >>>> 1643(terminalserver > >>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users) > >>>> > >>>> > >>>> [root at centclust2 ~]# id tester > >>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain > >>>> > >> > users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640 > >>>> (schreiben),1643(terminalserver > >>>> user),1620(direktionv),100001(BUILTIN\users) > >>>> > >>>> > >>>> EDV Daniel Müller > >>>> > >>>> Leitung EDV > >>>> Tropenklinik Paul-Lechler-Krankenhaus > >>>> Paul-Lechler-Str. 24 > >>>> 72076 Tübingen > >>>> Tel.: 07071/206-463, Fax: 07071/206-499 > >>>> eMail: mueller at tropenklinik.de > >>>> Internet: www.tropenklinik.de > >>>> > >>>> > >>>> > >>>> > >>>> -----Ursprüngliche Nachricht----- > >>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] > >>>> Gesendet: Freitag, 29. Januar 2016 00:43 > >>>> An: samba at lists.samba.org > >>>> Betreff: [Samba] Validate Ids Multiple DC > >>>> > >>>> Hello! > >>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as > >>>> Fileserver, until now all ok, but I'm one doubts, how to validate > that > >> in > >>>> both servers the domain IDs of the users of this identical, a simple > >> way > >>>> to do this validation? > >>>> I wanted to make sure it is a DC die fileserver has to go 100%. > >>>> thank you > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>> > >> Hi Louis, you keep saying adding the domain member lines to a DC works > >> for you, so I thought it was time I tried them again. > >> > >> This is before adding the lines: > >> > >> root at testdc1:~# getent passwd rowland > >> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false > >> > >> Now add the lines to smb.conf: > >> > >> ## map id's outside to domain to tdb files. > >> idmap config * : backend = tdb > >> idmap config * : range = 2000-9999 > >> ## map ids from the domain and (*) the range may not overlap > ! > >> idmap config HOME : backend = ad > >> idmap config HOME : schema_mode = rfc2307 > >> idmap config HOME : range = 10000-3999999 > >> > >> # Use home directory and shell information from AD > >> winbind nss info = rfc2307 > >> > >> winbind trusted domains only = no > >> winbind use default domain = yes > >> winbind expand groups = 4 > >> > >> Ran 'net cache flush' and then 'service samba-ad-dc restart' > >> > >> Checked again: > >> > >> root at testdc1:~# getent passwd rowland > >> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false > >> > >> Absolutely no difference, this is with Samba 4.3.3 > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > >
Yes, im sure.. Check : dc1:~# samba-tool testparm -v | grep winbind winbind separator = \ winbind cache time = 300 winbind reconnect delay = 30 winbind request timeout = 60 winbind max clients = 200 winbind enum users = No winbind enum groups = No winbind use default domain = Yes <==== winbind trusted domains only = No winbind nested groups = Yes winbind expand groups = 4 winbind nss info = rfc2307 winbind refresh tickets = No winbind offline logon = No winbind normalize names = No winbind rpc only = No winbind max domain connections = 1 winbindd socket directory = /var/run/samba/winbindd winbindd privileged socket directory = /var/lib/samba/winbindd_privileged winbind sealed pipes = Yes server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate If you want a copy of my complete config, let me know. Greetz, Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny> Verzonden: vrijdag 29 januari 2016 16:06> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Validate Ids Multiple DC>> On 29/01/16 12:07, L.P.H. van Belle wrote:> > Hai Rowland.> >> > What you tried is ok, or im misunderstanding you.> >> > For me :> > All members give me.> > getent passwd myuser> > myuser:*:10002:10000::/home/users/myuser:/bin/bash> >> > id myuser> > uid=10002(myuser) gid=10000(domain users)> >> > the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17> >> > and on the DCs. ( only sernet samba 4.2.7 )> >> > getent passwd myuser> > myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash> >> > id myuser> > uid=10002(myuser) gid=10000(domain users)> >> > forgot to mention 1 restriction.> >> > In the DC's i also have> > template shell = /bin/bash> > template homedir = /home/users/%U> >> > The restriction is that you must use above shell and homedirs for all> you users and must be the same in the AD unix tab.> >> > The GECOS is different, but who uses that..> >> >> > Greetz,> >> > Louis> >> >> >>> OK, I get virtually the same replies as you, except for 'getent passwd> rowland' I get:>> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false>> I do not have the template lines in smb.conf>> As you can see I get 'DOMAIN\username' instead of just username, the> only rfc2307 attributes I get from AD are the users uidNumber and the> users primary group gidNumber.>> Are you sure that winbind on a DC uses the default domain ?>> Rowland>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba
On 29/01/16 15:15, L.P.H. van Belle wrote:> Yes, im sure.. > > > > Check : > > dc1:~# samba-tool testparm -v | grep winbind > > > > winbind separator = \ > > winbind cache time = 300 > > winbind reconnect delay = 30 > > winbind request timeout = 60 > > winbind max clients = 200 > > winbind enum users = No > > winbind enum groups = No > > winbind use default domain = Yes <===> > winbind trusted domains only = No > > winbind nested groups = Yes > > winbind expand groups = 4 > > winbind nss info = rfc2307 > > winbind refresh tickets = No > > winbind offline logon = No > > winbind normalize names = No > > winbind rpc only = No > > winbind max domain connections = 1 > > winbindd socket directory = /var/run/samba/winbindd > > winbindd privileged socket directory = /var/lib/samba/winbindd_privileged > > winbind sealed pipes = Yes > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > If you want a copy of my complete config, let me know. > > >OK, I believe you, I wonder why it has never worked for me ? Rowland
At first no, but I find it strange tere different ids... Please if you can have your sm.conf would help. Em 29-01-2016 13:10, L.P.H. van Belle escreveu:> Hello Carlos. > > Fist please post to the list, this way everybody can help. > > The ids like : 3000036 are i think from a samba DC with RID setup. > If you want to login also on the DC with for example SSH. > > Add also the template lines. > > Fix the idmap. > > net getdomainsid > net idmap delete ranges YOURDOMAIN_SID > > restart the DC. > > And check again. > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] >> Verzonden: vrijdag 29 januari 2016 15:14 >> Aan: L.P.H. van Belle >> Onderwerp: Re: [Samba] Validate Ids Multiple DC >> >> Hello! >> Obrgado the answers. >> >> My smb.conf now this well in both DC, but is still giving different IDs: >> >> >> smb.conf >> >> # Global parameters >> [global] >> workgroup = SERVERAD >> realm = mydomain >> netbios name = DC-LINUX1(e DC-LINUX2) >> server role = active directory domain controller >> passdb backend = samba_dsdb >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> idmap_ldb:use rfc2307 = yes >> kerberos method = system keytab >> client ldap sasl wrapping = sign >> allow dns updates = nonsecure and secure >> nsupdate command = /usr/bin/nsupdate -g >> >> ## map id's outside to domain to tdb files. >> idmap config * : backend = tdb >> idmap config * : range = 2000-9999 >> ### map ids from the domain and (*) the range may not overlap ! >> idmap config SERVERAD : backend = ad >> idmap config SERVERAD : schema_mode = rfc2307 >> idmap config SERVERAD : range = 10000-3999999 >> >> ## Use home directory and shell information from AD >> winbind nss info = rfc2307 >> >> winbind trusted domains only = no >> winbind use default domain = yes >> winbind expand groups = 4 >> >> # Disable Cups >> load printers = no >> printing = bsd >> printcap name = /dev/null >> disable spoolss = yes >> >> DC-LINUX1 >> >> id userproxy01 >> uid=3000370(SERVERAD\userproxy01) gid=100(users) >> grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users) >> >> getent passwd userproxy01 >> SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01: >> /bin/false >> >> DC-LINUX2 >> >> id userproxy01 >> uid=3000036(SERVERAD\userproxy01) gid=100(users) >> grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users) >> >> getent passwd userproxy01 >> SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01: >> /bin/false >> >> >> Thanks. >> >> Em 29-01-2016 10:07, L.P.H. van Belle escreveu: >>> Hai Rowland. >>> >>> What you tried is ok, or im misunderstanding you. >>> >>> For me : >>> All members give me. >>> getent passwd myuser >>> myuser:*:10002:10000::/home/users/myuser:/bin/bash >>> >>> id myuser >>> uid=10002(myuser) gid=10000(domain users) >>> >>> the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17 >>> >>> and on the DCs. ( only sernet samba 4.2.7 ) >>> >>> getent passwd myuser >>> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash >>> >>> id myuser >>> uid=10002(myuser) gid=10000(domain users) >>> >>> forgot to mention 1 restriction. >>> >>> In the DC's i also have >>> template shell = /bin/bash >>> template homedir = /home/users/%U >>> >>> The restriction is that you must use above shell and homedirs for all >> you users and must be the same in the AD unix tab. >>> The GECOS is different, but who uses that.. >>> >>> >>> Greetz, >>> >>> Louis >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny >>>> Verzonden: vrijdag 29 januari 2016 12:42 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC >>>> >>>> On 29/01/16 08:59, L.P.H. van Belle wrote: >>>>> If you add the "not" supported winbind options from the member also to >>>> the DCs, then you will have the same resulting uid on all servers. >>>>> Official not supported, but works now for more then a year here. >>>>> ( sernet samba 4.2.7 on debian wheezy ) >>>>> >>>>> This is my addition to the smb.conf on the DC. >>>>> ## map id's outside to domain to tdb files. >>>>> idmap config * : backend = tdb >>>>> idmap config * : range = 2000-9999 >>>>> ## map ids from the domain and (*) the range may not overlap >> ! >>>>> idmap config NTDOMAIN : backend = ad >>>>> idmap config NTDOMAIN : schema_mode = rfc2307 >>>>> idmap config NTDOMAIN : range = 10000-3999999 >>>>> >>>>> # Use home directory and shell information from AD >>>>> winbind nss info = rfc2307 >>>>> >>>>> winbind trusted domains only = no >>>>> winbind use default domain = yes >>>>> winbind expand groups = 4 >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>> >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller >>>>>> Verzonden: vrijdag 29 januari 2016 9:21 >>>>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC >>>>>> >>>>>> You can try to do it with the unix tab in rsat on the master dc (as I >>>> did) >>>>>> . Both DCs have the same ids. >>>>>> On your memberservers this will be mapped by winbind(d) >>>>>> EX: >>>>>> >>>>>> [root at s4master ~]# id tester >>>>>> uid=90000(TPLK\tester) gid=100(users) >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer >>>>>> >> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre >> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( >>>>>> TPLK\HS3) >>>>>> >>>>>> [root at s4slave ~]# id tester >>>>>> uid=90000(TPLK\tester) gid=100(users) >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer >>>>>> >> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre >> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033( >>>>>> TPLK\HS3) >>>>>> >>>>>> winbind(d) mapping the same ids on 2 memberservers: >>>>>> [root at centclust1 ~]# id tester >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain >>>>>> >> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege), >>>>>> 1643(terminalserver >>>>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users) >>>>>> >>>>>> >>>>>> [root at centclust2 ~]# id tester >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain >>>>>> >> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640 >>>>>> (schreiben),1643(terminalserver >>>>>> user),1620(direktionv),100001(BUILTIN\users) >>>>>> >>>>>> >>>>>> EDV Daniel Müller >>>>>> >>>>>> Leitung EDV >>>>>> Tropenklinik Paul-Lechler-Krankenhaus >>>>>> Paul-Lechler-Str. 24 >>>>>> 72076 Tübingen >>>>>> Tel.: 07071/206-463, Fax: 07071/206-499 >>>>>> eMail: mueller at tropenklinik.de >>>>>> Internet: www.tropenklinik.de >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -----Ursprüngliche Nachricht----- >>>>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com] >>>>>> Gesendet: Freitag, 29. Januar 2016 00:43 >>>>>> An: samba at lists.samba.org >>>>>> Betreff: [Samba] Validate Ids Multiple DC >>>>>> >>>>>> Hello! >>>>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as >>>>>> Fileserver, until now all ok, but I'm one doubts, how to validate >> that >>>> in >>>>>> both servers the domain IDs of the users of this identical, a simple >>>> way >>>>>> to do this validation? >>>>>> I wanted to make sure it is a DC die fileserver has to go 100%. >>>>>> thank you >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>> Hi Louis, you keep saying adding the domain member lines to a DC works >>>> for you, so I thought it was time I tried them again. >>>> >>>> This is before adding the lines: >>>> >>>> root at testdc1:~# getent passwd rowland >>>> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false >>>> >>>> Now add the lines to smb.conf: >>>> >>>> ## map id's outside to domain to tdb files. >>>> idmap config * : backend = tdb >>>> idmap config * : range = 2000-9999 >>>> ## map ids from the domain and (*) the range may not overlap >> ! >>>> idmap config HOME : backend = ad >>>> idmap config HOME : schema_mode = rfc2307 >>>> idmap config HOME : range = 10000-3999999 >>>> >>>> # Use home directory and shell information from AD >>>> winbind nss info = rfc2307 >>>> >>>> winbind trusted domains only = no >>>> winbind use default domain = yes >>>> winbind expand groups = 4 >>>> >>>> Ran 'net cache flush' and then 'service samba-ad-dc restart' >>>> >>>> Checked again: >>>> >>>> root at testdc1:~# getent passwd rowland >>>> HOME\rowland:*:10000:10000:Rowland Penny:/home/HOME/rowland:/bin/false >>>> >>>> Absolutely no difference, this is with Samba 4.3.3 >>>> >>>> Rowland >>>> >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>> >
Lol... I dont know.. and i did learn know most from you :-P And you have reset the idmap? Greetz, .. hihi... Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny > Verzonden: vrijdag 29 januari 2016 16:22 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Validate Ids Multiple DC > > On 29/01/16 15:15, L.P.H. van Belle wrote: > > Yes, im sure.. > > > > > > > > Check : > > > > dc1:~# samba-tool testparm -v | grep winbind > > > > > > > > winbind separator = \ > > > > winbind cache time = 300 > > > > winbind reconnect delay = 30 > > > > winbind request timeout = 60 > > > > winbind max clients = 200 > > > > winbind enum users = No > > > > winbind enum groups = No > > > > winbind use default domain = Yes <===> > > > winbind trusted domains only = No > > > > winbind nested groups = Yes > > > > winbind expand groups = 4 > > > > winbind nss info = rfc2307 > > > > winbind refresh tickets = No > > > > winbind offline logon = No > > > > winbind normalize names = No > > > > winbind rpc only = No > > > > winbind max domain connections = 1 > > > > winbindd socket directory = /var/run/samba/winbindd > > > > winbindd privileged socket directory > /var/lib/samba/winbindd_privileged > > > > winbind sealed pipes = Yes > > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate > > > > > > > > If you want a copy of my complete config, let me know. > > > > > > > > OK, I believe you, I wonder why it has never worked for me ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Here you go. My setup. DC's Debian Wheezy, Sernet Samba 4.2.7. Members: all Debian Jessie: Print server : sernet samba 4.2.7 Proxy server : Debian Samba 4.1.17 File servers : Debian samba 4.1.17 DC Sample. cat /etc/samba/smb.conf # Global parameters [global] workgroup = NTDOMAIN realm = INTERNAL.DOMAIN.TLD netbios name = DC1 server role = active directory domain controller server services = -dns idmap_ldb:use rfc2307 = yes ## Dont forget to set the idmap_ldb on ALL DC's if you use it interfaces = 127.0.0.1 192.168.0.1 bind interfaces only = yes time server = yes wins support = yes ## KEEP THIS OFF !! Only used for modify-ing the AD Schema ## ONLY DONE ONES ON THE DC WITH THE FSMO Roles sdb:schema update allowed = no ## NEEDED FOR ZARAFA SCHEMA UPDATES ## map id's outside to domain to tdb files. idmap config * : backend = tdb idmap config * : range = 2000-9999 ## map ids from the domain and (*) the range may not overlap ! idmap config NTDOMAIN : backend = ad idmap config NTDOMAIN : schema_mode = rfc2307 idmap config NTDOMAIN : range = 10000-3999999 # Use home directory and shell information from AD winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind expand groups = 4 template shell = /bin/bash template homedir = /home/users/%U # disable printing completely, no cups errors anymore in your logs. load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes ## acl_xattr:ignore system acls = yes, ## is used for all "windows ONLY" shares. OR any kerberos authenticated . [sysvol] path = /home/samba/sysvol read only = No acl_xattr:ignore system acls = yes [netlogon] path = /home/samba/sysvol/rotterdam.bazuin.nl/scripts read only = No acl_xattr:ignore system acls = yes My MOST important member server smb.conf FILE SERVER Sample. [global] workgroup = NTDOMAIN security = ADS realm = INTERNAL.DOMAIN.TLD netbios name = MEMBER1 # set master browser for the network. # preffered + domain master = guarantee master browser ( man smb.conf ) preferred master = yes domain master = yes host msdfs = no dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab client signing = if_required ## map id's outside to domain to tdb files. idmap config *:backend = tdb idmap config *:range = 2000-9999 ## map ids from the domain the range may not overlap ! idmap config NTDOMAIN: backend = ad idmap config NTDOMAIN: schema_mode = rfc2307 idmap config NTDOMAIN: range = 10000-3999999 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes winbind refresh tickets = yes winbind offline logon = yes winbind expand groups = 4 wins server = 192.168.0.1, 192.168.0.2 # disable printing completely load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # disable usershares creating, again defined because i dont use it and # this way you dont have log messages about usershares. usershare path ##### only here so we remember how to setup this MUST be the same in the ##### AD and must also exist in the DC's IF you want the login ability ##### with AD users. # template shell = /bin/bash # template homedir = /home/users/%ACCOUNTNAME% # user Administrator workaround, without it you are unable to set # privileges, and you get connect errors to shares as administrator. username map = /etc/samba/samba_usermapping vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes # Share Setting Globally veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ hide unreadable = yes [profiles] browseable = yes path = /home/samba/profiles read only = no acl_xattr:ignore system acl = yes [users] browseable = yes path = /home/samba/users read only = no acl_xattr:ignore system acl = yes [public] # use for package distrubution GPO things etc. browseable = yes path = /home/samba/public read only = no --------------------- Proxy server sample, well see the FILE server sample, without shares. Print server sample see File server sample, remove these shares and add : ## Enabling spoolssd rpc_server:spoolss = external rpc_daemon:spoolssd = fork spoolssd:prefork_min_children = 5 # Minimum number of child processes spoolssd:prefork_max_children = 25 # Maximum number of child processes spoolssd:prefork_spawn_rate = 5 # Start (fork) x new childs if one connection comes in (up to prefork_max_children) spoolssd:prefork_max_allowed_clients = 100 # Number of clients, a child process should be responsible for spoolssd:prefork_child_min_life = 60 # Minimum lifetime of a child process (60 seconds # is the minimum, even a lower value has been configured) ## Cups auth problems : adduser USERNAME lpadmin [printers] comment = All Printers path = /home/samba/printing/spool browseable = no printable = yes printing = CUPS acl_xattr:ignore system acl = yes # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers # path = /var/lib/samba/printers path = /home/samba/printing/drivers browseable = yes read only = yes guest ok = no # Uncomment to allow remote administration of Windows print drivers. # You may need to replace 'lpadmin' with the name of the group your # admin users are members of. # Please note that you also need to set appropriate Unix permissions # to the drivers directory for these users to have write rights in it write list = root, @"Domain Admins" acl_xattr:ignore system acl = yes I?m out of the office in 10 min, so question, ask in the list. Monday im back here Greetz and have a nice weekend everybody.. Louis> -----Oorspronkelijk bericht-----> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Carlos A. P.> Cunha> Verzonden: vrijdag 29 januari 2016 16:27> Aan: samba at lists.samba.org> Onderwerp: Re: [Samba] Validate Ids Multiple DC>> At first no, but I find it strange tere different ids...>> Please if you can have your sm.conf would help.>> Em 29-01-2016 13:10, L.P.H. van Belle escreveu:> > Hello Carlos.> >> > Fist please post to the list, this way everybody can help.> >> > The ids like : 3000036 are i think from a samba DC with RID setup.> > If you want to login also on the DC with for example SSH.> >> > Add also the template lines.> >> > Fix the idmap.> >> > net getdomainsid> > net idmap delete ranges YOURDOMAIN_SID> >> > restart the DC.> >> > And check again.> >> > Greetz,> >> > Louis> >> >> >> -----Oorspronkelijk bericht-----> >> Van: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]> >> Verzonden: vrijdag 29 januari 2016 15:14> >> Aan: L.P.H. van Belle> >> Onderwerp: Re: [Samba] Validate Ids Multiple DC> >>> >> Hello!> >> Obrgado the answers.> >>> >> My smb.conf now this well in both DC, but is still giving different> IDs:> >>> >>> >> smb.conf> >>> >> # Global parameters> >> [global]> >> workgroup = SERVERAD> >> realm = mydomain> >> netbios name = DC-LINUX1(e DC-LINUX2)> >> server role = active directory domain controller> >> passdb backend = samba_dsdb> >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,> >> drepl, winbindd, ntp_signd, kcc, dnsupdate> >>> >> map archive = No> >> map readonly = no> >> store dos attributes = Yes> >> vfs objects = dfs_samba4 acl_xattr> >> idmap_ldb:use rfc2307 = yes> >> kerberos method = system keytab> >> client ldap sasl wrapping = sign> >> allow dns updates = nonsecure and secure> >> nsupdate command = /usr/bin/nsupdate -g> >>> >> ## map id's outside to domain to tdb files.> >> idmap config * : backend = tdb> >> idmap config * : range = 2000-9999> >> ### map ids from the domain and (*) the range may not overlap> !> >> idmap config SERVERAD : backend = ad> >> idmap config SERVERAD : schema_mode = rfc2307> >> idmap config SERVERAD : range = 10000-3999999> >>> >> ## Use home directory and shell information from AD> >> winbind nss info = rfc2307> >>> >> winbind trusted domains only = no> >> winbind use default domain = yes> >> winbind expand groups = 4> >>> >> # Disable Cups> >> load printers = no> >> printing = bsd> >> printcap name = /dev/null> >> disable spoolss = yes> >>> >> DC-LINUX1> >>> >> id userproxy01> >> uid=3000370(SERVERAD\userproxy01) gid=100(users)> >> grupos=100(users),3000370(SERVERAD\userproxy01),3000001(BUILTIN\users)> >>> >> getent passwd userproxy01> >>> SERVERAD\userproxy01:*:3000370:100:userproxy01:/home/SERVERAD/userproxy01:> >> /bin/false> >>> >> DC-LINUX2> >>> >> id userproxy01> >> uid=3000036(SERVERAD\userproxy01) gid=100(users)> >> grupos=100(users),3000036(SERVERAD\userproxy01),3000001(BUILTIN\users)> >>> >> getent passwd userproxy01> >>> SERVERAD\userproxy01:*:3000036:100:userproxy01:/home/SERVERAD/userproxy01:> >> /bin/false> >>> >>> >> Thanks.> >>> >> Em 29-01-2016 10:07, L.P.H. van Belle escreveu:> >>> Hai Rowland.> >>>> >>> What you tried is ok, or im misunderstanding you.> >>>> >>> For me :> >>> All members give me.> >>> getent passwd myuser> >>> myuser:*:10002:10000::/home/users/myuser:/bin/bash> >>>> >>> id myuser> >>> uid=10002(myuser) gid=10000(domain users)> >>>> >>> the memberservers are or sernet samba 4.2.7 or debian samba 4.1.17> >>>> >>> and on the DCs. ( only sernet samba 4.2.7 )> >>>> >>> getent passwd myuser> >>> myuser:*:10002:10000:L.P.H. van Belle:/home/users/ myuser:/bin/bash> >>>> >>> id myuser> >>> uid=10002(myuser) gid=10000(domain users)> >>>> >>> forgot to mention 1 restriction.> >>>> >>> In the DC's i also have> >>> template shell = /bin/bash> >>> template homedir = /home/users/%U> >>>> >>> The restriction is that you must use above shell and homedirs for all> >> you users and must be the same in the AD unix tab.> >>> The GECOS is different, but who uses that..> >>>> >>>> >>> Greetz,> >>>> >>> Louis> >>>> >>>> >>>> -----Oorspronkelijk bericht-----> >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland> penny> >>>> Verzonden: vrijdag 29 januari 2016 12:42> >>>> Aan: samba at lists.samba.org> >>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC> >>>>> >>>> On 29/01/16 08:59, L.P.H. van Belle wrote:> >>>>> If you add the "not" supported winbind options from the member also> to> >>>> the DCs, then you will have the same resulting uid on all servers.> >>>>> Official not supported, but works now for more then a year here.> >>>>> ( sernet samba 4.2.7 on debian wheezy )> >>>>>> >>>>> This is my addition to the smb.conf on the DC.> >>>>> ## map id's outside to domain to tdb files.> >>>>> idmap config * : backend = tdb> >>>>> idmap config * : range = 2000-9999> >>>>> ## map ids from the domain and (*) the range may not> overlap> >> !> >>>>> idmap config NTDOMAIN : backend = ad> >>>>> idmap config NTDOMAIN : schema_mode = rfc2307> >>>>> idmap config NTDOMAIN : range = 10000-3999999> >>>>>> >>>>> # Use home directory and shell information from AD> >>>>> winbind nss info = rfc2307> >>>>>> >>>>> winbind trusted domains only = no> >>>>> winbind use default domain = yes> >>>>> winbind expand groups = 4> >>>>>> >>>>>> >>>>> Greetz,> >>>>>> >>>>> Louis> >>>>>> >>>>>> >>>>>> >>>>>> -----Oorspronkelijk bericht-----> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mueller> >>>>>> Verzonden: vrijdag 29 januari 2016 9:21> >>>>>> Aan: 'Carlos A. P. Cunha'; samba at lists.samba.org> >>>>>> Onderwerp: Re: [Samba] Validate Ids Multiple DC> >>>>>>> >>>>>> You can try to do it with the unix tab in rsat on the master dc (as> I> >>>> did)> >>>>>> . Both DCs have the same ids.> >>>>>> On your memberservers this will be mapped by winbind(d)> >>>>>> EX:> >>>>>>> >>>>>> [root at s4master ~]# id tester> >>>>>> uid=90000(TPLK\tester) gid=100(users)> >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer> >>>>>>> >>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre> >>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(> >>>>>> TPLK\HS3)> >>>>>>> >>>>>> [root at s4slave ~]# id tester> >>>>>> uid=90000(TPLK\tester) gid=100(users)> >>>>>> Gruppen=100(users),3000051(TPLK\TerminalServer> >>>>>>> >>> User),3000027(TPLK\Dienstplan),3000028(TPLK\Direktionv),3000048(TPLK\Schre> >>> iben),3000045(TPLK\pflege),3000038(TPLK\orbis),3000023(TPLK\agfa),3000033(> >>>>>> TPLK\HS3)> >>>>>>> >>>>>> winbind(d) mapping the same ids on 2 memberservers:> >>>>>> [root at centclust1 ~]# id tester> >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain> >>>>>>> >>> users),1619(dienstplan),1625(hs3),1640(schreiben),1615(agfa),1637(pflege),> >>>>>> 1643(terminalserver> >>>>>> user),1630(orbis),1620(direktionv),4000001(BUILTIN\users)> >>>>>>> >>>>>>> >>>>>> [root at centclust2 ~]# id tester> >>>>>> uid=1606(tester) gid=1013(domain users) Gruppen=1013(domain> >>>>>>> >>> users),1615(agfa),1619(dienstplan),1625(hs3),1630(orbis),1637(pflege),1640> >>>>>> (schreiben),1643(terminalserver> >>>>>> user),1620(direktionv),100001(BUILTIN\users)> >>>>>>> >>>>>>> >>>>>> EDV Daniel Müller> >>>>>>> >>>>>> Leitung EDV> >>>>>> Tropenklinik Paul-Lechler-Krankenhaus> >>>>>> Paul-Lechler-Str. 24> >>>>>> 72076 Tübingen> >>>>>> Tel.: 07071/206-463, Fax: 07071/206-499> >>>>>> eMail: mueller at tropenklinik.de> >>>>>> Internet: www.tropenklinik.de> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> -----Ursprüngliche Nachricht-----> >>>>>> Von: Carlos A. P. Cunha [mailto:carlos.hollow at gmail.com]> >>>>>> Gesendet: Freitag, 29. Januar 2016 00:43> >>>>>> An: samba at lists.samba.org> >>>>>> Betreff: [Samba] Validate Ids Multiple DC> >>>>>>> >>>>>> Hello!> >>>>>> I have 2 Samba 4 server (4.3.3) as VC and other Samba 4 (4.3) as> >>>>>> Fileserver, until now all ok, but I'm one doubts, how to validate> >> that> >>>> in> >>>>>> both servers the domain IDs of the users of this identical, a> simple> >>>> way> >>>>>> to do this validation?> >>>>>> I wanted to make sure it is a DC die fileserver has to go 100%.> >>>>>> thank you> >>>>>>> >>>>>> --> >>>>>> To unsubscribe from this list go to the following URL and read the> >>>>>> instructions: https://lists.samba.org/mailman/options/samba> >>>>>>> >>>>>>> >>>>>> --> >>>>>> To unsubscribe from this list go to the following URL and read the> >>>>>> instructions: https://lists.samba.org/mailman/options/samba> >>>> Hi Louis, you keep saying adding the domain member lines to a DC> works> >>>> for you, so I thought it was time I tried them again.> >>>>> >>>> This is before adding the lines:> >>>>> >>>> root at testdc1:~# getent passwd rowland> >>>> HOME\rowland:*:10000:10000:Rowland> Penny:/home/HOME/rowland:/bin/false> >>>>> >>>> Now add the lines to smb.conf:> >>>>> >>>> ## map id's outside to domain to tdb files.> >>>> idmap config * : backend = tdb> >>>> idmap config * : range = 2000-9999> >>>> ## map ids from the domain and (*) the range may not> overlap> >> !> >>>> idmap config HOME : backend = ad> >>>> idmap config HOME : schema_mode = rfc2307> >>>> idmap config HOME : range = 10000-3999999> >>>>> >>>> # Use home directory and shell information from AD> >>>> winbind nss info = rfc2307> >>>>> >>>> winbind trusted domains only = no> >>>> winbind use default domain = yes> >>>> winbind expand groups = 4> >>>>> >>>> Ran 'net cache flush' and then 'service samba-ad-dc restart'> >>>>> >>>> Checked again:> >>>>> >>>> root at testdc1:~# getent passwd rowland> >>>> HOME\rowland:*:10000:10000:Rowland> Penny:/home/HOME/rowland:/bin/false> >>>>> >>>> Absolutely no difference, this is with Samba 4.3.3> >>>>> >>>> Rowland> >>>>> >>>>> >>>> --> >>>> To unsubscribe from this list go to the following URL and read the> >>>> instructions: https://lists.samba.org/mailman/options/samba> >>>> >>>> --> To unsubscribe from this list go to the following URL and read the> instructions: https://lists.samba.org/mailman/options/samba