Hi,
i provisioned a domain and all went well, until i added the second dc....
for example:
the new DC2 tells me:
getfacl /usr/local/samba/var/locks/sysvol
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134users:r-x
user:ELEMAY\134guest:rwx
user:ELEMAY\134domain\040guests:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134users:r-x
group:ELEMAY\134guest:rwx
group:ELEMAY\134domain\040guests:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134users:r-x
default:user:ELEMAY\134guest:rwx
default:user:ELEMAY\134domain\040guests:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134users:r-x
default:group:ELEMAY\134guest:rwx
default:group:ELEMAY\134domain\040guests:r-x
default:mask::rwx
default:other::---
the old DC1 tells me:
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
smb.conf is identical:
DC2:
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
DC1:
testparm
Load smb config files from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[Profiles]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC
Press enter to see a dump of your service definitions
# Global parameters
[global]
realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE
workgroup = ELEMAY
dns forwarder = 192.168.0.1
passdb backend = samba_dsdb
server role = active directory domain controller
winbind enum groups = Yes
winbind enum users = Yes
winbind nss info = rfc2307
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config elemay:range = 10000-99999
idmap config elemay:schema_mode = rfc2307
idmap config elemay:backend = ad
idmap config *:range = 2000-9999
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes = Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path
/usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[Profiles]
path = /srv/samba/Profiles/
csc policy = disable
profile acls = Yes
create mask = 0600
directory mask = 0700
read only = No
getent passwd:
works on both and shows me domain users, for example:
dc2:
ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false
dc1:
ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false
but, as you see, it has different numbers.
what went wrong here?
thanks
juergen
On 14/06/16 17:38, J. Echter wrote:> Hi, > > i provisioned a domain and all went well, until i added the second dc.... > > for example: > > the new DC2 tells me: > > getfacl /usr/local/samba/var/locks/sysvol > > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:BUILTIN\134users:r-x > user:ELEMAY\134guest:rwx > user:ELEMAY\134domain\040guests:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134users:r-x > group:ELEMAY\134guest:rwx > group:ELEMAY\134domain\040guests:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:BUILTIN\134users:r-x > default:user:ELEMAY\134guest:rwx > default:user:ELEMAY\134domain\040guests:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134users:r-x > default:group:ELEMAY\134guest:rwx > default:group:ELEMAY\134domain\040guests:r-x > default:mask::rwx > default:other::--- > > > the old DC1 tells me: > > # file: usr/local/samba/var/locks/sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:BUILTIN\134server\040operators:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:BUILTIN\134server\040operators:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > smb.conf is identical: > > DC2: > > testparm > Load smb config files from /usr/local/samba/etc/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[netlogon]" > Processing section "[sysvol]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE > workgroup = ELEMAY > dns forwarder = 192.168.0.1 > passdb backend = samba_dsdb > server role = active directory domain controller > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config elemay:range = 10000-99999 > idmap config elemay:schema_mode = rfc2307 > idmap config elemay:backend = ad > idmap config *:range = 2000-9999 > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > > > [netlogon] > path > /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts > read only = No > > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > DC1: > > testparm > Load smb config files from /usr/local/samba/etc/smb.conf > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) > Processing section "[netlogon]" > Processing section "[sysvol]" > Processing section "[Profiles]" > Loaded services file OK. > Server role: ROLE_ACTIVE_DIRECTORY_DC > > Press enter to see a dump of your service definitions > > # Global parameters > [global] > realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE > workgroup = ELEMAY > dns forwarder = 192.168.0.1 > passdb backend = samba_dsdb > server role = active directory domain controller > winbind enum groups = Yes > winbind enum users = Yes > winbind nss info = rfc2307 > rpc_server:tcpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spoolss = embedded > rpc_server:winreg = embedded > rpc_server:ntsvcs = embedded > rpc_server:eventlog = embedded > rpc_server:srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server:default = external > winbindd:use external pipes = true > idmap config elemay:range = 10000-99999 > idmap config elemay:schema_mode = rfc2307 > idmap config elemay:backend = ad > idmap config *:range = 2000-9999 > idmap_ldb:use rfc2307 = yes > idmap config * : backend = tdb > map archive = No > map readonly = no > store dos attributes = Yes > vfs objects = dfs_samba4 acl_xattr > > > [netlogon] > path > /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts > read only = No > > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > [Profiles] > path = /srv/samba/Profiles/ > csc policy = disable > profile acls = Yes > create mask = 0600 > directory mask = 0700 > read only = No > > getent passwd: > > works on both and shows me domain users, for example: > > dc2: > > ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false > > > dc1: > > ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false > > but, as you see, it has different numbers. > > > > what went wrong here? > > > thanks > > juergen >Nothing, you just seem to be running into the same problem that a couple of others have, idmap.ldb can and usually is different between DCs. that makes three users this week and it is only Tuesday :-D You can copy idmap.ldb from the first DC to any others, you would then need to run 'samba-tool ntacl sysvolreset' on the other DCs and then keep the idmap.ldb files in sync. Rowland
Am 14.06.2016 um 19:16 schrieb Rowland penny:> On 14/06/16 17:38, J. Echter wrote: >> Hi, >> >> i provisioned a domain and all went well, until i added the second dc.... >> >> for example: >> >> the new DC2 tells me: >> >> getfacl /usr/local/samba/var/locks/sysvol >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:BUILTIN\134users:r-x >> user:ELEMAY\134guest:rwx >> user:ELEMAY\134domain\040guests:r-x >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:BUILTIN\134users:r-x >> group:ELEMAY\134guest:rwx >> group:ELEMAY\134domain\040guests:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:BUILTIN\134users:r-x >> default:user:ELEMAY\134guest:rwx >> default:user:ELEMAY\134domain\040guests:r-x >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:BUILTIN\134users:r-x >> default:group:ELEMAY\134guest:rwx >> default:group:ELEMAY\134domain\040guests:r-x >> default:mask::rwx >> default:other::--- >> >> >> the old DC1 tells me: >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:BUILTIN\134server\040operators:r-x >> user:3000002:rwx >> user:3000003:r-x >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:BUILTIN\134server\040operators:r-x >> group:3000002:rwx >> group:3000003:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:BUILTIN\134server\040operators:r-x >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:BUILTIN\134server\040operators:r-x >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> >> smb.conf is identical: >> >> DC2: >> >> testparm >> Load smb config files from /usr/local/samba/etc/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Loaded services file OK. >> Server role: ROLE_ACTIVE_DIRECTORY_DC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >> workgroup = ELEMAY >> dns forwarder = 192.168.0.1 >> passdb backend = samba_dsdb >> server role = active directory domain controller >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind nss info = rfc2307 >> rpc_server:tcpip = no >> rpc_daemon:spoolssd = embedded >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> winbindd:use external pipes = true >> idmap config elemay:range = 10000-99999 >> idmap config elemay:schema_mode = rfc2307 >> idmap config elemay:backend = ad >> idmap config *:range = 2000-9999 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >> >> read only = No >> >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> DC1: >> >> testparm >> Load smb config files from /usr/local/samba/etc/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[Profiles]" >> Loaded services file OK. >> Server role: ROLE_ACTIVE_DIRECTORY_DC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >> workgroup = ELEMAY >> dns forwarder = 192.168.0.1 >> passdb backend = samba_dsdb >> server role = active directory domain controller >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind nss info = rfc2307 >> rpc_server:tcpip = no >> rpc_daemon:spoolssd = embedded >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> winbindd:use external pipes = true >> idmap config elemay:range = 10000-99999 >> idmap config elemay:schema_mode = rfc2307 >> idmap config elemay:backend = ad >> idmap config *:range = 2000-9999 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >> >> read only = No >> >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> [Profiles] >> path = /srv/samba/Profiles/ >> csc policy = disable >> profile acls = Yes >> create mask = 0600 >> directory mask = 0700 >> read only = No >> >> getent passwd: >> >> works on both and shows me domain users, for example: >> >> dc2: >> >> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false >> >> >> dc1: >> >> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false >> >> but, as you see, it has different numbers. >> >> >> >> what went wrong here? >> >> >> thanks >> >> juergen >> > > Nothing, you just seem to be running into the same problem that a couple > of others have, idmap.ldb can and usually is different between DCs. > > that makes three users this week and it is only Tuesday :-D > > You can copy idmap.ldb from the first DC to any others, you would then > need to run 'samba-tool ntacl sysvolreset' on the other DCs and then > keep the idmap.ldb files in sync. > > Rowland > >Hi, i recognized that some other people may have the same situation :) But i already posted... So my problem was that i cant add gpo rules to my computers/users, windows (gpupdate) told me that gpt.ini couldn't be read on one of the servers. I checked everything i know, and that is not much, and came to the conclusion that the problem must be the wrong ACL's on my sysvol. I have setup a rsync sysvol replication from DC1 -> DC2. I read here that sharing files is a 'no go', but i do share files on DC1. My profiles. I will move them to a NAS later on... Does the above problem cause the issue i mentioned? Or do i follow the totally wrong way? I would appreciate some enlightenment :D Any information you need i will provide happily :) Thanks.
lingpanda101 at gmail.com
2016-Jun-14 18:47 UTC
[Samba] since i added second DC i have some trouble
On 6/14/2016 1:16 PM, Rowland penny wrote:> On 14/06/16 17:38, J. Echter wrote: >> Hi, >> >> i provisioned a domain and all went well, until i added the second >> dc.... >> >> for example: >> >> the new DC2 tells me: >> >> getfacl /usr/local/samba/var/locks/sysvol >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:BUILTIN\134users:r-x >> user:ELEMAY\134guest:rwx >> user:ELEMAY\134domain\040guests:r-x >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:BUILTIN\134users:r-x >> group:ELEMAY\134guest:rwx >> group:ELEMAY\134domain\040guests:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:BUILTIN\134users:r-x >> default:user:ELEMAY\134guest:rwx >> default:user:ELEMAY\134domain\040guests:r-x >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:BUILTIN\134users:r-x >> default:group:ELEMAY\134guest:rwx >> default:group:ELEMAY\134domain\040guests:r-x >> default:mask::rwx >> default:other::--- >> >> >> the old DC1 tells me: >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:BUILTIN\134server\040operators:r-x >> user:3000002:rwx >> user:3000003:r-x >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:BUILTIN\134server\040operators:r-x >> group:3000002:rwx >> group:3000003:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:BUILTIN\134server\040operators:r-x >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:BUILTIN\134server\040operators:r-x >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> >> smb.conf is identical: >> >> DC2: >> >> testparm >> Load smb config files from /usr/local/samba/etc/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Loaded services file OK. >> Server role: ROLE_ACTIVE_DIRECTORY_DC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >> workgroup = ELEMAY >> dns forwarder = 192.168.0.1 >> passdb backend = samba_dsdb >> server role = active directory domain controller >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind nss info = rfc2307 >> rpc_server:tcpip = no >> rpc_daemon:spoolssd = embedded >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> winbindd:use external pipes = true >> idmap config elemay:range = 10000-99999 >> idmap config elemay:schema_mode = rfc2307 >> idmap config elemay:backend = ad >> idmap config *:range = 2000-9999 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >> >> read only = No >> >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> DC1: >> >> testparm >> Load smb config files from /usr/local/samba/etc/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[Profiles]" >> Loaded services file OK. >> Server role: ROLE_ACTIVE_DIRECTORY_DC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >> workgroup = ELEMAY >> dns forwarder = 192.168.0.1 >> passdb backend = samba_dsdb >> server role = active directory domain controller >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind nss info = rfc2307 >> rpc_server:tcpip = no >> rpc_daemon:spoolssd = embedded >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> winbindd:use external pipes = true >> idmap config elemay:range = 10000-99999 >> idmap config elemay:schema_mode = rfc2307 >> idmap config elemay:backend = ad >> idmap config *:range = 2000-9999 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >> >> read only = No >> >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> [Profiles] >> path = /srv/samba/Profiles/ >> csc policy = disable >> profile acls = Yes >> create mask = 0600 >> directory mask = 0700 >> read only = No >> >> getent passwd: >> >> works on both and shows me domain users, for example: >> >> dc2: >> >> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false >> >> >> dc1: >> >> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false >> >> but, as you see, it has different numbers. >> >> >> >> what went wrong here? >> >> >> thanks >> >> juergen >> > > Nothing, you just seem to be running into the same problem that a > couple of others have, idmap.ldb can and usually is different between > DCs. > > that makes three users this week and it is only Tuesday :-D > > You can copy idmap.ldb from the first DC to any others, you would then > need to run 'samba-tool ntacl sysvolreset' on the other DCs and then > keep the idmap.ldb files in sync. > > Rowland > >Rowland, That shouldn't be necessary if he is using 4.2 or later correct? Isn't the use of winbindd supposed to solve this issue? -- -James