samba - Jun 2016 - Two DC but Different UID

On 14/06/16 17:00, Carlos A. P. Cunha wrote:
> Correcting previous email
>
>
> Hello!
> Own two Dcs Samba 4.4, this all OK, but ids are different:
>
>
> Example DC1:
> id tr005
> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>
> Example DC2:
> id tr005
> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>
> My smb.conf is the same in both:
> # Global parameters
> [global]
> workgroup = TESTELOCAL
> realm = TESTELOCAL.INTERNO
> netbios name = SAMBADC-01
> server role = active directory domain controller
> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl, 
> winbindd, ntp_signd, kcc, dnsupdate
> idmap_ldb: use RFC2307 = yes
>
>
> [Netlogon]
> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
> read only = No
>
> [Sysvol]
> path = / opt / samba / var / locks / sysvol
> read only = No
>
>
> The doubt is this and problem?
> If yes, how to fix?
>
> Thank you
>
>
> Em 14-06-2016 12:59, Carlos A. P. Cunha escreveu:
>>
>> Hello!
>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>
>>
>> Example DC2:
>> id tr005
>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>>
>> Example DC2:
>> id tr005
>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>>
>> My smb.conf is the same in both:
>> # Global parameters
>> [global]
>> workgroup = TESTELOCAL
>> realm = TESTELOCAL.INTERNO
>> netbios name = SAMBADC-01
>> server role = active directory domain controller
>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl, 
>> winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb: use RFC2307 = yes
>>
>>
>> [Netlogon]
>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>> read only = No
>>
>> [Sysvol]
>> path = / opt / samba / var / locks / sysvol
>> read only = No
>>
>>
>> The doubt is this and problem?
>> If yes, how to fix?
>>
>> Thank you
>>
>
Each DC can and probably will have different UIDs for users, this is 
because the DCs use idmap.ldb and this uses 'xidNumber' attributes which
seem to be allocated on a first come basis. One way to get the same UID 
numbers on all DCs, is to copy idmap.ldap from the first DC to all 
others and then keep them in sync, the other is to use RFC2307 attributes.

Rowland

2016-06-14 18:13 GMT+02:00 Rowland penny <rpenny at samba.org>:
> On 14/06/16 17:00, Carlos A. P. Cunha wrote:
>
>> Correcting previous email
>>
>>
>> Hello!
>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>
>>
>> Example DC1:
>> id tr005
>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>>
>> Example DC2:
>> id tr005
>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>>
>> My smb.conf is the same in both:
>> # Global parameters
>> [global]
>> workgroup = TESTELOCAL
>> realm = TESTELOCAL.INTERNO
>> netbios name = SAMBADC-01
>> server role = active directory domain controller
>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
>> winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb: use RFC2307 = yes
>>
>>
>> [Netlogon]
>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>> read only = No
>>
>> [Sysvol]
>> path = / opt / samba / var / locks / sysvol
>> read only = No
>>
>>
>> The doubt is this and problem?
>> If yes, how to fix?
>>
>> Thank you
>>
>>
>> Em 14-06-2016 12:59, Carlos A. P. Cunha escreveu:
>>
>>>
>>> Hello!
>>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>>
>>>
>>> Example DC2:
>>> id tr005
>>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
>>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>>>
>>> Example DC2:
>>> id tr005
>>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
>>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>>>
>>> My smb.conf is the same in both:
>>> # Global parameters
>>> [global]
>>> workgroup = TESTELOCAL
>>> realm = TESTELOCAL.INTERNO
>>> netbios name = SAMBADC-01
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>> idmap_ldb: use RFC2307 = yes
>>>
>>>
>>> [Netlogon]
>>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>>> read only = No
>>>
>>> [Sysvol]
>>> path = / opt / samba / var / locks / sysvol
>>> read only = No
>>>
>>>
>>> The doubt is this and problem?
>>> If yes, how to fix?
>>>
>>> Thank you
>>>
>>>
>>
> Each DC can and probably will have different UIDs for users, this is
> because the DCs use idmap.ldb and this uses 'xidNumber' attributes
which
> seem to be allocated on a first come basis. One way to get the same UID
> numbers on all DCs, is to copy idmap.ldap from the first DC to all others
> and then keep them in sync, the other is to use RFC2307 attributes.
>
And the best way is to do both: synchronize idmap.ldb and set up uidNumber
and gidNumber for each and every users in AD, even on MS users contained
into BUILTIN and Users containers.

If you synchronize idmap.ldb, keep it synched.
Usage of RFC2307 for MS Builtin users is to avoid future issue, once they
get all some xID from AD, they have no reason to get some irrelevant xID
from id mapping.

You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove
from
that file every user and group which already have xidNumber set in AD LDAP
tree.

Finally one thing which is also important here: perform "net cache
flush"
on DC for they forget old UID/GID mapped. NOTE net cache flush does flush
idmap.ldb, if some account is still inthere with bad UID/GID, that account
will get bad UID/GID until you remove it from idmap.ldb.

>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Understood, I leave dess form, or may have problems
As for examples, with fileserver (separately)?
But I already was using the RFC2307, because in both I am with the option:
idmap_ldb: use RFC2307 = yes
???

Thank you


Em 14-06-2016 13:13, Rowland penny escreveu:
> On 14/06/16 17:00, Carlos A. P. Cunha wrote:
>> Correcting previous email
>>
>>
>> Hello!
>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>
>>
>> Example DC1:
>> id tr005
>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>>
>> Example DC2:
>> id tr005
>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>>
>> My smb.conf is the same in both:
>> # Global parameters
>> [global]
>> workgroup = TESTELOCAL
>> realm = TESTELOCAL.INTERNO
>> netbios name = SAMBADC-01
>> server role = active directory domain controller
>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl, 
>> winbindd, ntp_signd, kcc, dnsupdate
>> idmap_ldb: use RFC2307 = yes
>>
>>
>> [Netlogon]
>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>> read only = No
>>
>> [Sysvol]
>> path = / opt / samba / var / locks / sysvol
>> read only = No
>>
>>
>> The doubt is this and problem?
>> If yes, how to fix?
>>
>> Thank you
>>
>>
>> Em 14-06-2016 12:59, Carlos A. P. Cunha escreveu:
>>>
>>> Hello!
>>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>>
>>>
>>> Example DC2:
>>> id tr005
>>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
>>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>>>
>>> Example DC2:
>>> id tr005
>>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100 
>>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>>>
>>> My smb.conf is the same in both:
>>> # Global parameters
>>> [global]
>>> workgroup = TESTELOCAL
>>> realm = TESTELOCAL.INTERNO
>>> netbios name = SAMBADC-01
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl, 
>>> winbindd, ntp_signd, kcc, dnsupdate
>>> idmap_ldb: use RFC2307 = yes
>>>
>>>
>>> [Netlogon]
>>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>>> read only = No
>>>
>>> [Sysvol]
>>> path = / opt / samba / var / locks / sysvol
>>> read only = No
>>>
>>>
>>> The doubt is this and problem?
>>> If yes, how to fix?
>>>
>>> Thank you
>>>
>>
>
> Each DC can and probably will have different UIDs for users, this is 
> because the DCs use idmap.ldb and this uses 'xidNumber' attributes 
> which seem to be allocated on a first come basis. One way to get the 
> same UID numbers on all DCs, is to copy idmap.ldap from the first DC 
> to all others and then keep them in sync, the other is to use RFC2307 
> attributes.
>
> Rowland
>
>

That's one things to add schema in your AD, that's another thing to use
that schema.

Adding schema for rfc2307 in AD grant you possibility to set uidNumber,
gidNumber, loginShell and others attributes to your AD users. That grant
you that possibility but you are free to use that possibility.

Next step is to define xidNumber to your users.

2016-06-14 18:31 GMT+02:00 Carlos A. P. Cunha <carlos.hollow at
gmail.com>:
> Understood, I leave dess form, or may have problems
> As for examples, with fileserver (separately)?
> But I already was using the RFC2307, because in both I am with the option:
> idmap_ldb: use RFC2307 = yes
> ???
>
> Thank you
>
>
>
> Em 14-06-2016 13:13, Rowland penny escreveu:
>
>> On 14/06/16 17:00, Carlos A. P. Cunha wrote:
>>
>>> Correcting previous email
>>>
>>>
>>> Hello!
>>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>>
>>>
>>> Example DC1:
>>> id tr005
>>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
>>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \ users)
>>>
>>> Example DC2:
>>> id tr005
>>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups = 100
>>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \ users)
>>>
>>> My smb.conf is the same in both:
>>> # Global parameters
>>> [global]
>>> workgroup = TESTELOCAL
>>> realm = TESTELOCAL.INTERNO
>>> netbios name = SAMBADC-01
>>> server role = active directory domain controller
>>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc, drepl,
>>> winbindd, ntp_signd, kcc, dnsupdate
>>> idmap_ldb: use RFC2307 = yes
>>>
>>>
>>> [Netlogon]
>>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>>> read only = No
>>>
>>> [Sysvol]
>>> path = / opt / samba / var / locks / sysvol
>>> read only = No
>>>
>>>
>>> The doubt is this and problem?
>>> If yes, how to fix?
>>>
>>> Thank you
>>>
>>>
>>> Em 14-06-2016 12:59, Carlos A. P. Cunha escreveu:
>>>
>>>>
>>>> Hello!
>>>> Own two Dcs Samba 4.4, this all OK, but ids are different:
>>>>
>>>>
>>>> Example DC2:
>>>> id tr005
>>>> uid = 3000039 (TESTELOCAL \ tr005) gid = 100 (users) groups =
100
>>>> (users), 3000039 (TESTELOCAL \ tr005), 3,000,009 (BUILTIN \
users)
>>>>
>>>> Example DC2:
>>>> id tr005
>>>> uid = 3000023 (TESTELOCAL \ tr005) gid = 100 (users) groups =
100
>>>> (users), 3000023 (TESTELOCAL \ tr005), 3,000,001 (BUILTIN \
users)
>>>>
>>>> My smb.conf is the same in both:
>>>> # Global parameters
>>>> [global]
>>>> workgroup = TESTELOCAL
>>>> realm = TESTELOCAL.INTERNO
>>>> netbios name = SAMBADC-01
>>>> server role = active directory domain controller
>>>> server services = s3fs, rpc, NBT, wrepl, ldap, CLDAP, kdc,
drepl,
>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>> idmap_ldb: use RFC2307 = yes
>>>>
>>>>
>>>> [Netlogon]
>>>> path = /opt/samba/var/locks/sysvol/testelocal.interno/scripts
>>>> read only = No
>>>>
>>>> [Sysvol]
>>>> path = / opt / samba / var / locks / sysvol
>>>> read only = No
>>>>
>>>>
>>>> The doubt is this and problem?
>>>> If yes, how to fix?
>>>>
>>>> Thank you
>>>>
>>>>
>>>
>> Each DC can and probably will have different UIDs for users, this is
>> because the DCs use idmap.ldb and this uses 'xidNumber'
attributes which
>> seem to be allocated on a first come basis. One way to get the same UID
>> numbers on all DCs, is to copy idmap.ldap from the first DC to all
others
>> and then keep them in sync, the other is to use RFC2307 attributes.
>>
>> Rowland
>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 14/06/16 17:31, Carlos A. P. Cunha wrote:
> Understood, I leave dess form, or may have problems
> As for examples, with fileserver (separately)?
> But I already was using the RFC2307, because in both I am with the 
> option:
> idmap_ldb: use RFC2307 = yes
> ???
>
> Thank you
>
>
Just because you have 'idmap_ldb: use RFC2307 = yes' in smb.conf, 
doesn't mean you are using the RFC2307 attributes, it means you can use 
RFC2307 attributes. You need to add the RFC2307 attributes manually to 
AD yourself.

Rowland