lingpanda101 at gmail.com
2016-Jun-14 18:47 UTC
[Samba] since i added second DC i have some trouble
On 6/14/2016 1:16 PM, Rowland penny wrote:> On 14/06/16 17:38, J. Echter wrote: >> Hi, >> >> i provisioned a domain and all went well, until i added the second >> dc.... >> >> for example: >> >> the new DC2 tells me: >> >> getfacl /usr/local/samba/var/locks/sysvol >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:BUILTIN\134users:r-x >> user:ELEMAY\134guest:rwx >> user:ELEMAY\134domain\040guests:r-x >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:BUILTIN\134users:r-x >> group:ELEMAY\134guest:rwx >> group:ELEMAY\134domain\040guests:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:BUILTIN\134users:r-x >> default:user:ELEMAY\134guest:rwx >> default:user:ELEMAY\134domain\040guests:r-x >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:BUILTIN\134users:r-x >> default:group:ELEMAY\134guest:rwx >> default:group:ELEMAY\134domain\040guests:r-x >> default:mask::rwx >> default:other::--- >> >> >> the old DC1 tells me: >> >> # file: usr/local/samba/var/locks/sysvol >> # owner: root >> # group: BUILTIN\134administrators >> user::rwx >> user:root:rwx >> user:BUILTIN\134administrators:rwx >> user:BUILTIN\134server\040operators:r-x >> user:3000002:rwx >> user:3000003:r-x >> group::rwx >> group:BUILTIN\134administrators:rwx >> group:BUILTIN\134server\040operators:r-x >> group:3000002:rwx >> group:3000003:r-x >> mask::rwx >> other::--- >> default:user::rwx >> default:user:root:rwx >> default:user:BUILTIN\134administrators:rwx >> default:user:BUILTIN\134server\040operators:r-x >> default:user:3000002:rwx >> default:user:3000003:r-x >> default:group::--- >> default:group:BUILTIN\134administrators:rwx >> default:group:BUILTIN\134server\040operators:r-x >> default:group:3000002:rwx >> default:group:3000003:r-x >> default:mask::rwx >> default:other::--- >> >> smb.conf is identical: >> >> DC2: >> >> testparm >> Load smb config files from /usr/local/samba/etc/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Loaded services file OK. >> Server role: ROLE_ACTIVE_DIRECTORY_DC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >> workgroup = ELEMAY >> dns forwarder = 192.168.0.1 >> passdb backend = samba_dsdb >> server role = active directory domain controller >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind nss info = rfc2307 >> rpc_server:tcpip = no >> rpc_daemon:spoolssd = embedded >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> winbindd:use external pipes = true >> idmap config elemay:range = 10000-99999 >> idmap config elemay:schema_mode = rfc2307 >> idmap config elemay:backend = ad >> idmap config *:range = 2000-9999 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >> >> read only = No >> >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> DC1: >> >> testparm >> Load smb config files from /usr/local/samba/etc/smb.conf >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> Processing section "[Profiles]" >> Loaded services file OK. >> Server role: ROLE_ACTIVE_DIRECTORY_DC >> >> Press enter to see a dump of your service definitions >> >> # Global parameters >> [global] >> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >> workgroup = ELEMAY >> dns forwarder = 192.168.0.1 >> passdb backend = samba_dsdb >> server role = active directory domain controller >> winbind enum groups = Yes >> winbind enum users = Yes >> winbind nss info = rfc2307 >> rpc_server:tcpip = no >> rpc_daemon:spoolssd = embedded >> rpc_server:spoolss = embedded >> rpc_server:winreg = embedded >> rpc_server:ntsvcs = embedded >> rpc_server:eventlog = embedded >> rpc_server:srvsvc = embedded >> rpc_server:svcctl = embedded >> rpc_server:default = external >> winbindd:use external pipes = true >> idmap config elemay:range = 10000-99999 >> idmap config elemay:schema_mode = rfc2307 >> idmap config elemay:backend = ad >> idmap config *:range = 2000-9999 >> idmap_ldb:use rfc2307 = yes >> idmap config * : backend = tdb >> map archive = No >> map readonly = no >> store dos attributes = Yes >> vfs objects = dfs_samba4 acl_xattr >> >> >> [netlogon] >> path >> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >> >> read only = No >> >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> >> [Profiles] >> path = /srv/samba/Profiles/ >> csc policy = disable >> profile acls = Yes >> create mask = 0600 >> directory mask = 0700 >> read only = No >> >> getent passwd: >> >> works on both and shows me domain users, for example: >> >> dc2: >> >> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false >> >> >> dc1: >> >> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false >> >> but, as you see, it has different numbers. >> >> >> >> what went wrong here? >> >> >> thanks >> >> juergen >> > > Nothing, you just seem to be running into the same problem that a > couple of others have, idmap.ldb can and usually is different between > DCs. > > that makes three users this week and it is only Tuesday :-D > > You can copy idmap.ldb from the first DC to any others, you would then > need to run 'samba-tool ntacl sysvolreset' on the other DCs and then > keep the idmap.ldb files in sync. > > Rowland > >Rowland, That shouldn't be necessary if he is using 4.2 or later correct? Isn't the use of winbindd supposed to solve this issue? -- -James
Am 14.06.2016 um 20:47 schrieb lingpanda101 at gmail.com:> On 6/14/2016 1:16 PM, Rowland penny wrote: >> On 14/06/16 17:38, J. Echter wrote: >>> Hi, >>> >>> i provisioned a domain and all went well, until i added the second >>> dc.... >>> >>> for example: >>> >>> the new DC2 tells me: >>> >>> getfacl /usr/local/samba/var/locks/sysvol >>> >>> # file: usr/local/samba/var/locks/sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134users:r-x >>> user:ELEMAY\134guest:rwx >>> user:ELEMAY\134domain\040guests:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134users:r-x >>> group:ELEMAY\134guest:rwx >>> group:ELEMAY\134domain\040guests:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134users:r-x >>> default:user:ELEMAY\134guest:rwx >>> default:user:ELEMAY\134domain\040guests:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134users:r-x >>> default:group:ELEMAY\134guest:rwx >>> default:group:ELEMAY\134domain\040guests:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> >>> the old DC1 tells me: >>> >>> # file: usr/local/samba/var/locks/sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134server\040operators:r-x >>> user:3000002:rwx >>> user:3000003:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134server\040operators:r-x >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> smb.conf is identical: >>> >>> DC2: >>> >>> testparm >>> Load smb config files from /usr/local/samba/etc/smb.conf >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >>> (16384) >>> Processing section "[netlogon]" >>> Processing section "[sysvol]" >>> Loaded services file OK. >>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>> >>> Press enter to see a dump of your service definitions >>> >>> # Global parameters >>> [global] >>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >>> workgroup = ELEMAY >>> dns forwarder = 192.168.0.1 >>> passdb backend = samba_dsdb >>> server role = active directory domain controller >>> winbind enum groups = Yes >>> winbind enum users = Yes >>> winbind nss info = rfc2307 >>> rpc_server:tcpip = no >>> rpc_daemon:spoolssd = embedded >>> rpc_server:spoolss = embedded >>> rpc_server:winreg = embedded >>> rpc_server:ntsvcs = embedded >>> rpc_server:eventlog = embedded >>> rpc_server:srvsvc = embedded >>> rpc_server:svcctl = embedded >>> rpc_server:default = external >>> winbindd:use external pipes = true >>> idmap config elemay:range = 10000-99999 >>> idmap config elemay:schema_mode = rfc2307 >>> idmap config elemay:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap_ldb:use rfc2307 = yes >>> idmap config * : backend = tdb >>> map archive = No >>> map readonly = no >>> store dos attributes = Yes >>> vfs objects = dfs_samba4 acl_xattr >>> >>> >>> [netlogon] >>> path >>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >>> >>> read only = No >>> >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> DC1: >>> >>> testparm >>> Load smb config files from /usr/local/samba/etc/smb.conf >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >>> (16384) >>> Processing section "[netlogon]" >>> Processing section "[sysvol]" >>> Processing section "[Profiles]" >>> Loaded services file OK. >>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>> >>> Press enter to see a dump of your service definitions >>> >>> # Global parameters >>> [global] >>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >>> workgroup = ELEMAY >>> dns forwarder = 192.168.0.1 >>> passdb backend = samba_dsdb >>> server role = active directory domain controller >>> winbind enum groups = Yes >>> winbind enum users = Yes >>> winbind nss info = rfc2307 >>> rpc_server:tcpip = no >>> rpc_daemon:spoolssd = embedded >>> rpc_server:spoolss = embedded >>> rpc_server:winreg = embedded >>> rpc_server:ntsvcs = embedded >>> rpc_server:eventlog = embedded >>> rpc_server:srvsvc = embedded >>> rpc_server:svcctl = embedded >>> rpc_server:default = external >>> winbindd:use external pipes = true >>> idmap config elemay:range = 10000-99999 >>> idmap config elemay:schema_mode = rfc2307 >>> idmap config elemay:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap_ldb:use rfc2307 = yes >>> idmap config * : backend = tdb >>> map archive = No >>> map readonly = no >>> store dos attributes = Yes >>> vfs objects = dfs_samba4 acl_xattr >>> >>> >>> [netlogon] >>> path >>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >>> >>> read only = No >>> >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> [Profiles] >>> path = /srv/samba/Profiles/ >>> csc policy = disable >>> profile acls = Yes >>> create mask = 0600 >>> directory mask = 0700 >>> read only = No >>> >>> getent passwd: >>> >>> works on both and shows me domain users, for example: >>> >>> dc2: >>> >>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false >>> >>> >>> dc1: >>> >>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false >>> >>> but, as you see, it has different numbers. >>> >>> >>> >>> what went wrong here? >>> >>> >>> thanks >>> >>> juergen >>> >> >> Nothing, you just seem to be running into the same problem that a >> couple of others have, idmap.ldb can and usually is different between >> DCs. >> >> that makes three users this week and it is only Tuesday :-D >> >> You can copy idmap.ldb from the first DC to any others, you would then >> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then >> keep the idmap.ldb files in sync. >> >> Rowland >> >> > > Rowland, > > That shouldn't be necessary if he is using 4.2 or later correct? > Isn't the use of winbindd supposed to solve this issue? > >i'm using 4.4.4 on both dc's ;)
lingpanda101 at gmail.com
2016-Jun-14 19:22 UTC
[Samba] since i added second DC i have some trouble
On 6/14/2016 2:50 PM, J. Echter wrote:> Am 14.06.2016 um 20:47 schrieb lingpanda101 at gmail.com: >> On 6/14/2016 1:16 PM, Rowland penny wrote: >>> On 14/06/16 17:38, J. Echter wrote: >>>> Hi, >>>> >>>> i provisioned a domain and all went well, until i added the second >>>> dc.... >>>> >>>> for example: >>>> >>>> the new DC2 tells me: >>>> >>>> getfacl /usr/local/samba/var/locks/sysvol >>>> >>>> # file: usr/local/samba/var/locks/sysvol >>>> # owner: root >>>> # group: BUILTIN\134administrators >>>> user::rwx >>>> user:root:rwx >>>> user:BUILTIN\134administrators:rwx >>>> user:BUILTIN\134users:r-x >>>> user:ELEMAY\134guest:rwx >>>> user:ELEMAY\134domain\040guests:r-x >>>> group::rwx >>>> group:BUILTIN\134administrators:rwx >>>> group:BUILTIN\134users:r-x >>>> group:ELEMAY\134guest:rwx >>>> group:ELEMAY\134domain\040guests:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:BUILTIN\134administrators:rwx >>>> default:user:BUILTIN\134users:r-x >>>> default:user:ELEMAY\134guest:rwx >>>> default:user:ELEMAY\134domain\040guests:r-x >>>> default:group::--- >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:BUILTIN\134users:r-x >>>> default:group:ELEMAY\134guest:rwx >>>> default:group:ELEMAY\134domain\040guests:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> >>>> the old DC1 tells me: >>>> >>>> # file: usr/local/samba/var/locks/sysvol >>>> # owner: root >>>> # group: BUILTIN\134administrators >>>> user::rwx >>>> user:root:rwx >>>> user:BUILTIN\134administrators:rwx >>>> user:BUILTIN\134server\040operators:r-x >>>> user:3000002:rwx >>>> user:3000003:r-x >>>> group::rwx >>>> group:BUILTIN\134administrators:rwx >>>> group:BUILTIN\134server\040operators:r-x >>>> group:3000002:rwx >>>> group:3000003:r-x >>>> mask::rwx >>>> other::--- >>>> default:user::rwx >>>> default:user:root:rwx >>>> default:user:BUILTIN\134administrators:rwx >>>> default:user:BUILTIN\134server\040operators:r-x >>>> default:user:3000002:rwx >>>> default:user:3000003:r-x >>>> default:group::--- >>>> default:group:BUILTIN\134administrators:rwx >>>> default:group:BUILTIN\134server\040operators:r-x >>>> default:group:3000002:rwx >>>> default:group:3000003:r-x >>>> default:mask::rwx >>>> default:other::--- >>>> >>>> smb.conf is identical: >>>> >>>> DC2: >>>> >>>> testparm >>>> Load smb config files from /usr/local/samba/etc/smb.conf >>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >>>> (16384) >>>> Processing section "[netlogon]" >>>> Processing section "[sysvol]" >>>> Loaded services file OK. >>>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>>> >>>> Press enter to see a dump of your service definitions >>>> >>>> # Global parameters >>>> [global] >>>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >>>> workgroup = ELEMAY >>>> dns forwarder = 192.168.0.1 >>>> passdb backend = samba_dsdb >>>> server role = active directory domain controller >>>> winbind enum groups = Yes >>>> winbind enum users = Yes >>>> winbind nss info = rfc2307 >>>> rpc_server:tcpip = no >>>> rpc_daemon:spoolssd = embedded >>>> rpc_server:spoolss = embedded >>>> rpc_server:winreg = embedded >>>> rpc_server:ntsvcs = embedded >>>> rpc_server:eventlog = embedded >>>> rpc_server:srvsvc = embedded >>>> rpc_server:svcctl = embedded >>>> rpc_server:default = external >>>> winbindd:use external pipes = true >>>> idmap config elemay:range = 10000-99999 >>>> idmap config elemay:schema_mode = rfc2307 >>>> idmap config elemay:backend = ad >>>> idmap config *:range = 2000-9999 >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config * : backend = tdb >>>> map archive = No >>>> map readonly = no >>>> store dos attributes = Yes >>>> vfs objects = dfs_samba4 acl_xattr >>>> >>>> >>>> [netlogon] >>>> path >>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >>>> >>>> read only = No >>>> >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> >>>> DC1: >>>> >>>> testparm >>>> Load smb config files from /usr/local/samba/etc/smb.conf >>>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >>>> (16384) >>>> Processing section "[netlogon]" >>>> Processing section "[sysvol]" >>>> Processing section "[Profiles]" >>>> Loaded services file OK. >>>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>>> >>>> Press enter to see a dump of your service definitions >>>> >>>> # Global parameters >>>> [global] >>>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >>>> workgroup = ELEMAY >>>> dns forwarder = 192.168.0.1 >>>> passdb backend = samba_dsdb >>>> server role = active directory domain controller >>>> winbind enum groups = Yes >>>> winbind enum users = Yes >>>> winbind nss info = rfc2307 >>>> rpc_server:tcpip = no >>>> rpc_daemon:spoolssd = embedded >>>> rpc_server:spoolss = embedded >>>> rpc_server:winreg = embedded >>>> rpc_server:ntsvcs = embedded >>>> rpc_server:eventlog = embedded >>>> rpc_server:srvsvc = embedded >>>> rpc_server:svcctl = embedded >>>> rpc_server:default = external >>>> winbindd:use external pipes = true >>>> idmap config elemay:range = 10000-99999 >>>> idmap config elemay:schema_mode = rfc2307 >>>> idmap config elemay:backend = ad >>>> idmap config *:range = 2000-9999 >>>> idmap_ldb:use rfc2307 = yes >>>> idmap config * : backend = tdb >>>> map archive = No >>>> map readonly = no >>>> store dos attributes = Yes >>>> vfs objects = dfs_samba4 acl_xattr >>>> >>>> >>>> [netlogon] >>>> path >>>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >>>> >>>> read only = No >>>> >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> >>>> [Profiles] >>>> path = /srv/samba/Profiles/ >>>> csc policy = disable >>>> profile acls = Yes >>>> create mask = 0600 >>>> directory mask = 0700 >>>> read only = No >>>> >>>> getent passwd: >>>> >>>> works on both and shows me domain users, for example: >>>> >>>> dc2: >>>> >>>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false >>>> >>>> >>>> dc1: >>>> >>>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false >>>> >>>> but, as you see, it has different numbers. >>>> >>>> >>>> >>>> what went wrong here? >>>> >>>> >>>> thanks >>>> >>>> juergen >>>> >>> Nothing, you just seem to be running into the same problem that a >>> couple of others have, idmap.ldb can and usually is different between >>> DCs. >>> >>> that makes three users this week and it is only Tuesday :-D >>> >>> You can copy idmap.ldb from the first DC to any others, you would then >>> need to run 'samba-tool ntacl sysvolreset' on the other DCs and then >>> keep the idmap.ldb files in sync. >>> >>> Rowland >>> >>> >> Rowland, >> >> That shouldn't be necessary if he is using 4.2 or later correct? >> Isn't the use of winbindd supposed to solve this issue? >> >> > i'm using 4.4.4 on both dc's ;) >Echter, Have you tried syncing the idmap.ldb file yet? I wonder if your issue is related to using idmap config elemay:backend = ad Doesn't this use winbind and not winbindd? In this case you would need to sync idmap.ldb? -- -James
On 14/06/16 19:47, lingpanda101 at gmail.com wrote:> On 6/14/2016 1:16 PM, Rowland penny wrote: >> On 14/06/16 17:38, J. Echter wrote: >>> Hi, >>> >>> i provisioned a domain and all went well, until i added the second >>> dc.... >>> >>> for example: >>> >>> the new DC2 tells me: >>> >>> getfacl /usr/local/samba/var/locks/sysvol >>> >>> # file: usr/local/samba/var/locks/sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134users:r-x >>> user:ELEMAY\134guest:rwx >>> user:ELEMAY\134domain\040guests:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134users:r-x >>> group:ELEMAY\134guest:rwx >>> group:ELEMAY\134domain\040guests:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134users:r-x >>> default:user:ELEMAY\134guest:rwx >>> default:user:ELEMAY\134domain\040guests:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134users:r-x >>> default:group:ELEMAY\134guest:rwx >>> default:group:ELEMAY\134domain\040guests:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> >>> the old DC1 tells me: >>> >>> # file: usr/local/samba/var/locks/sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134server\040operators:r-x >>> user:3000002:rwx >>> user:3000003:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134server\040operators:r-x >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:mask::rwx >>> default:other::--- >>> >>> smb.conf is identical: >>> >>> DC2: >>> >>> testparm >>> Load smb config files from /usr/local/samba/etc/smb.conf >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >>> (16384) >>> Processing section "[netlogon]" >>> Processing section "[sysvol]" >>> Loaded services file OK. >>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>> >>> Press enter to see a dump of your service definitions >>> >>> # Global parameters >>> [global] >>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >>> workgroup = ELEMAY >>> dns forwarder = 192.168.0.1 >>> passdb backend = samba_dsdb >>> server role = active directory domain controller >>> winbind enum groups = Yes >>> winbind enum users = Yes >>> winbind nss info = rfc2307 >>> rpc_server:tcpip = no >>> rpc_daemon:spoolssd = embedded >>> rpc_server:spoolss = embedded >>> rpc_server:winreg = embedded >>> rpc_server:ntsvcs = embedded >>> rpc_server:eventlog = embedded >>> rpc_server:srvsvc = embedded >>> rpc_server:svcctl = embedded >>> rpc_server:default = external >>> winbindd:use external pipes = true >>> idmap config elemay:range = 10000-99999 >>> idmap config elemay:schema_mode = rfc2307 >>> idmap config elemay:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap_ldb:use rfc2307 = yes >>> idmap config * : backend = tdb >>> map archive = No >>> map readonly = no >>> store dos attributes = Yes >>> vfs objects = dfs_samba4 acl_xattr >>> >>> >>> [netlogon] >>> path >>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >>> >>> read only = No >>> >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> DC1: >>> >>> testparm >>> Load smb config files from /usr/local/samba/etc/smb.conf >>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >>> (16384) >>> Processing section "[netlogon]" >>> Processing section "[sysvol]" >>> Processing section "[Profiles]" >>> Loaded services file OK. >>> Server role: ROLE_ACTIVE_DIRECTORY_DC >>> >>> Press enter to see a dump of your service definitions >>> >>> # Global parameters >>> [global] >>> realm = ELEMAY.ECHTER-KUECHEN-ELEKTRO.DE >>> workgroup = ELEMAY >>> dns forwarder = 192.168.0.1 >>> passdb backend = samba_dsdb >>> server role = active directory domain controller >>> winbind enum groups = Yes >>> winbind enum users = Yes >>> winbind nss info = rfc2307 >>> rpc_server:tcpip = no >>> rpc_daemon:spoolssd = embedded >>> rpc_server:spoolss = embedded >>> rpc_server:winreg = embedded >>> rpc_server:ntsvcs = embedded >>> rpc_server:eventlog = embedded >>> rpc_server:srvsvc = embedded >>> rpc_server:svcctl = embedded >>> rpc_server:default = external >>> winbindd:use external pipes = true >>> idmap config elemay:range = 10000-99999 >>> idmap config elemay:schema_mode = rfc2307 >>> idmap config elemay:backend = ad >>> idmap config *:range = 2000-9999 >>> idmap_ldb:use rfc2307 = yes >>> idmap config * : backend = tdb >>> map archive = No >>> map readonly = no >>> store dos attributes = Yes >>> vfs objects = dfs_samba4 acl_xattr >>> >>> >>> [netlogon] >>> path >>> /usr/local/samba/var/locks/sysvol/elemay.echter-kuechen-elektro.de/scripts >>> >>> read only = No >>> >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> >>> [Profiles] >>> path = /srv/samba/Profiles/ >>> csc policy = disable >>> profile acls = Yes >>> create mask = 0600 >>> directory mask = 0700 >>> read only = No >>> >>> getent passwd: >>> >>> works on both and shows me domain users, for example: >>> >>> dc2: >>> >>> ELEMAY\guest:*:3000002:100::/home/ELEMAY/guest:/bin/false >>> >>> >>> dc1: >>> >>> ELEMAY\guest:*:3000011:100::/home/ELEMAY/guest:/bin/false >>> >>> but, as you see, it has different numbers. >>> >>> >>> >>> what went wrong here? >>> >>> >>> thanks >>> >>> juergen >>> >> >> Nothing, you just seem to be running into the same problem that a >> couple of others have, idmap.ldb can and usually is different between >> DCs. >> >> that makes three users this week and it is only Tuesday :-D >> >> You can copy idmap.ldb from the first DC to any others, you would >> then need to run 'samba-tool ntacl sysvolreset' on the other DCs and >> then keep the idmap.ldb files in sync. >> >> Rowland >> >> > > Rowland, > > That shouldn't be necessary if he is using 4.2 or later correct? > Isn't the use of winbindd supposed to solve this issue? > >Yes, as long as you sync via names, not numbers i.e. do not use '--numeric-ids' with rsync and reset sysvol after the sync. Rowland Rowland