mathias dufresne
2016-Jun-14 10:23 UTC
[Samba] Samba 4 Member server show diferent UID than Ad Server
Without UID and / or GID configured into AD database (into LDAP tree) Samba would give UID / GID to users and groups when needed, and as nothing is written, Samba has to guess. This guessing process is called id mapping. Samba does not synchronize generated file containing this ID map. No synchronization and xID random xID fathers to xID inconsistency. This is not necessarily an issue: with only one DC (a config I can't approve) no issue: Sysvol is hosted by only one DC, no inconsistency when your are alone (that's when you met people that craziness appears :). File servers do not host same files normally: AD DC are hosting Sysvol and NetLogon and these both shares are not hosted on file servers which are hosting others files. Different files so no issue with rights... as long as you don't have to make copy or displace files from server to server, in that case that could be a mess.. Solution seems to be: - give UID/GID to everything in AD. Your users and those in CN=BUILTIN and CN=Users too. - synchronize private/idmap.ldb across your DC at least (they all host Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members servers seem to not have that file. - use "net cache flush" to clear idmap cache on every server (members included). Once cache is cleared, Winbind would need to find out what UID/GID to use, it should now rely on UID:GID declared into AD database and the issue should disappear. 2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>:> So you need to configure winbindd the right way to solve this. > In deed if you have another UID it can result in "access refused". > This is an issue I treid to discuss since samba4 started and I think this > should be an integrated thing in samba ads to member server > Without having admins to bother about. > > Greetings > Daniel > > > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: mueller at tropenklinik.de > Internet: www.tropenklinik.de > > > > > -----Ursprüngliche Nachricht----- > Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com] > Gesendet: Montag, 13. Juni 2016 17:32 > An: samba at lists.samba.org > Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server > > Hello friends, I come to ask for a hand. > > I have an AD server with Samba 4.1 and added a Member Server 4.4 without > problems. > > The only problem I'm having is that the UID of users in the Member Server > are different from the AD server. > > Ad Server > > KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone > Domingues:/home/KENNEDY/florenciaelmone:/bin/false > > Member Server > > florenciaelmone:*:100002:100008:Florencia Elmone > Domingues:/home/KENNEDY/florenciaelmone:/bin/false > > Some way to resolve this? > > Thanks. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Juan Ignacio
2016-Jun-14 14:52 UTC
[Samba] Samba 4 Member server show diferent UID than Ad Server
I like the idea. - synchronize private/idmap.ldb across your DC at least (they all host Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members servers seem to not have that file. But in my Domain Controler I do not find this file. I found the file in the AD DC. There any way to avoid adding UID users, or impossible without doing this. They are as 300 users. Analista Inf. Juan Ignacio Pazos <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> 2016-06-14 7:23 GMT-03:00 mathias dufresne <infractory at gmail.com>:> Without UID and / or GID configured into AD database (into LDAP tree) Samba > would give UID / GID to users and groups when needed, and as nothing is > written, Samba has to guess. This guessing process is called id mapping. > > Samba does not synchronize generated file containing this ID map. No > synchronization and xID random xID fathers to xID inconsistency. > > This is not necessarily an issue: with only one DC (a config I can't > approve) no issue: Sysvol is hosted by only one DC, no inconsistency when > your are alone (that's when you met people that craziness appears :). File > servers do not host same files normally: AD DC are hosting Sysvol and > NetLogon and these both shares are not hosted on file servers which are > hosting others files. Different files so no issue with rights... as long as > you don't have to make copy or displace files from server to server, in > that case that could be a mess.. > > Solution seems to be: > - give UID/GID to everything in AD. Your users and those in CN=BUILTIN and > CN=Users too. > - synchronize private/idmap.ldb across your DC at least (they all host > Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members > servers seem to not have that file. > - use "net cache flush" to clear idmap cache on every server (members > included). Once cache is cleared, Winbind would need to find out what > UID/GID to use, it should now rely on UID:GID declared into AD database and > the issue should disappear. > > 2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>: > > > So you need to configure winbindd the right way to solve this. > > In deed if you have another UID it can result in "access refused". > > This is an issue I treid to discuss since samba4 started and I think this > > should be an integrated thing in samba ads to member server > > Without having admins to bother about. > > > > Greetings > > Daniel > > > > > > EDV Daniel Müller > > > > Leitung EDV > > Tropenklinik Paul-Lechler-Krankenhaus > > Paul-Lechler-Str. 24 > > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > > eMail: mueller at tropenklinik.de > > Internet: www.tropenklinik.de > > > > > > > > > > -----Ursprüngliche Nachricht----- > > Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com] > > Gesendet: Montag, 13. Juni 2016 17:32 > > An: samba at lists.samba.org > > Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server > > > > Hello friends, I come to ask for a hand. > > > > I have an AD server with Samba 4.1 and added a Member Server 4.4 without > > problems. > > > > The only problem I'm having is that the UID of users in the Member Server > > are different from the AD server. > > > > Ad Server > > > > KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone > > Domingues:/home/KENNEDY/florenciaelmone:/bin/false > > > > Member Server > > > > florenciaelmone:*:100002:100008:Florencia Elmone > > Domingues:/home/KENNEDY/florenciaelmone:/bin/false > > > > Some way to resolve this? > > > > Thanks. > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
mathias dufresne
2016-Jun-14 15:09 UTC
[Samba] Samba 4 Member server show diferent UID than Ad Server
2016-06-14 16:52 GMT+02:00 Juan Ignacio <juan.ignacio.pazos at gmail.com>:> I like the idea. > > - synchronize private/idmap.ldb across your DC at least (they all host > Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members > servers seem to not have that file. > > But in my Domain Controler I do not find this file. >I expect you meant "domain member" rather tha "domain controller". Domain member don't have that file.> > I found the file in the AD DC. >Yep it exists on AD DC.> > There any way to avoid adding UID users, or impossible without doing this. > They are as 300 users. >As I explained below (previous mail) the fact UID/GID are not the same between DC and file servers is not necessarily an issue: these UID/GID are used by Samba to translate Windows identity to UNIX identity (Windows users from Windows clients accessing Windows shares hosted by Samba, on Linux system and so hosted by Linux file system, rights on Linux FS are done using UID/GID). Now if you are a bit lost with all these rights management or if you want limit risk in future (more DC, using DFS or whatever) the simpler is to set up UID and GID to every users and every groups. You will have to set up GID on groups first, then UID (and GID) on users if you do that manually using ADUC (at least it was the case I believe when I tested). To avoid doing that manually: script it! Chaining ldbsearch to list groups then to list users, awk to read the result of ldbsearch and to write resultant LDIF file. Then you run one command: ldbmodify -H $sam /path/to/your/newly/created/file/ldif This command should modify all users and groups as defined into LDIF file, adding uidNumber and/or gidNumber to groups and users if the script is correct enough. Have fun ;)> > Analista Inf. > Juan Ignacio Pazos > <http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a> > > 2016-06-14 7:23 GMT-03:00 mathias dufresne <infractory at gmail.com>: > >> Without UID and / or GID configured into AD database (into LDAP tree) >> Samba >> would give UID / GID to users and groups when needed, and as nothing is >> written, Samba has to guess. This guessing process is called id mapping. >> >> Samba does not synchronize generated file containing this ID map. No >> synchronization and xID random xID fathers to xID inconsistency. >> >> This is not necessarily an issue: with only one DC (a config I can't >> approve) no issue: Sysvol is hosted by only one DC, no inconsistency when >> your are alone (that's when you met people that craziness appears :). File >> servers do not host same files normally: AD DC are hosting Sysvol and >> NetLogon and these both shares are not hosted on file servers which are >> hosting others files. Different files so no issue with rights... as long >> as >> you don't have to make copy or displace files from server to server, in >> that case that could be a mess.. >> >> Solution seems to be: >> - give UID/GID to everything in AD. Your users and those in CN=BUILTIN and >> CN=Users too. >> - synchronize private/idmap.ldb across your DC at least (they all host >> Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members >> servers seem to not have that file. >> - use "net cache flush" to clear idmap cache on every server (members >> included). Once cache is cleared, Winbind would need to find out what >> UID/GID to use, it should now rely on UID:GID declared into AD database >> and >> the issue should disappear. >> >> 2016-06-14 9:14 GMT+02:00 Mueller <mueller at tropenklinik.de>: >> >> > So you need to configure winbindd the right way to solve this. >> > In deed if you have another UID it can result in "access refused". >> > This is an issue I treid to discuss since samba4 started and I think >> this >> > should be an integrated thing in samba ads to member server >> > Without having admins to bother about. >> > >> > Greetings >> > Daniel >> > >> > >> > EDV Daniel Müller >> > >> > Leitung EDV >> > Tropenklinik Paul-Lechler-Krankenhaus >> > Paul-Lechler-Str. 24 >> > 72076 Tübingen >> > Tel.: 07071/206-463, Fax: 07071/206-499 >> > eMail: mueller at tropenklinik.de >> > Internet: www.tropenklinik.de >> > >> > >> > >> > >> > -----Ursprüngliche Nachricht----- >> > Von: Juan Ignacio [mailto:juan.ignacio.pazos at gmail.com] >> > Gesendet: Montag, 13. Juni 2016 17:32 >> > An: samba at lists.samba.org >> > Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server >> > >> > Hello friends, I come to ask for a hand. >> > >> > I have an AD server with Samba 4.1 and added a Member Server 4.4 without >> > problems. >> > >> > The only problem I'm having is that the UID of users in the Member >> Server >> > are different from the AD server. >> > >> > Ad Server >> > >> > KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone >> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false >> > >> > Member Server >> > >> > florenciaelmone:*:100002:100008:Florencia Elmone >> > Domingues:/home/KENNEDY/florenciaelmone:/bin/false >> > >> > Some way to resolve this? >> > >> > Thanks. >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> > >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Rowland penny
2016-Jun-14 15:21 UTC
[Samba] Samba 4 Member server show diferent UID than Ad Server
On 14/06/16 15:52, Juan Ignacio wrote:> I like the idea. > > - synchronize private/idmap.ldb across your DC at least (they all host > Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members > servers seem to not have that file.idmap.ldb is only used on a Samba 4 AD DC, but the contents can be and and very often are different on each DC.> > But in my Domain Controler I do not find this file. > > I found the file in the AD DC.I don't quite understand this, you have a domain controller that doesn't have an idmap.ldb file, is this a windows domain controller ? The idmap.ldb file you found, was this on a secondary AD DC ?> > There any way to avoid adding UID users, or impossible without doing this. > They are as 300 users.On a domain member, yes. On a Samba AD DC, yes There is a problem however, your users on the DC would get a different UID compared to the domain member. the same goes for groups. Rowland
Possibly Parallel Threads
- Samba 4 Member server show diferent UID than Ad Server
- Samba 4 Member server show diferent UID than Ad Server
- Samba 4 Member server show diferent UID than Ad Server
- Samba 4 Member server show diferent UID than Ad Server
- Samba 4 Member server show diferent UID than Ad Server