Dear, I have 2 DC's Samba4.4.5. I realize that there is a difference in mapping groups gid mappings. The /etc/nsswitch.conf are equal in DC's. I found difference in the smb.conf of DC's. The DC2 shows the name of winbind groups. The DC1 shows only the uid of the group / user. Could someone give me a hint? Smb.conf file DC1 [global] interfaces = lo eth0 netbios name = SRV14 realm = DOMAIN.LOCAL server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN server role = active directory domain controller comment = log file = /var/log/samba/samba.log log level = 1 max log size = 10000 idmap_ldb:use rfc2307 = yes winbind enum users = yes winbind enum groups = yes allow dns updates = secure only nsupdate command = /usr/bin/nsupdate -g client ldap sasl wrapping = sign ldap server require strong auth = no time server = yes # EVENT LOGGING eventlog list = Application System Security SyslogLinux [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Smb.conf file DC2 [global] bind interfaces only = Yes interfaces = lo eth0 netbios name = SRV15 realm = DOMAIN.LOCAL server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN server role = active directory domain controller comment = log file = /var/log/samba/%m.log log level = 1 max log size = 10000 # winbind enum users = yes winbind enum groups = yes client ldap sasl wrapping = sign ldap server require strong auth = no [netlogon] path = /usr/local/samba/var/locks/sysvol/domain.local/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No
On Fri, 21 Oct 2016 16:59:07 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> Dear, > I have 2 DC's Samba4.4.5. > I realize that there is a difference in mapping groups gid mappings. > The /etc/nsswitch.conf are equal in DC's. > I found difference in the smb.conf of DC's. > The DC2 shows the name of winbind groups. The DC1 shows only the uid > of the group / user. Could someone give me a hint? > > > Smb.conf file DC1 > > > [global] > interfaces = lo eth0 > netbios name = SRV14 > realm = DOMAIN.LOCAL > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN > server role = active directory domain controller > comment = > log file = /var/log/samba/samba.log > log level = 1 > max log size = 10000 > idmap_ldb:use rfc2307 = yes > winbind enum users = yes > winbind enum groups = yes > allow dns updates = secure only > nsupdate command = /usr/bin/nsupdate -g > client ldap sasl wrapping = sign > ldap server require strong auth = no > time server = yes > # EVENT LOGGING > eventlog list = Application System Security SyslogLinux > > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > > Smb.conf file DC2 > > [global] > bind interfaces only = Yes > interfaces = lo eth0 > netbios name = SRV15 > realm = DOMAIN.LOCAL > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate workgroup = DOMAIN > server role = active directory domain controller > comment = > log file = /var/log/samba/%m.log > log level = 1 > max log size = 10000 > # > winbind enum users = yes > winbind enum groups = yes > client ldap sasl wrapping = sign > ldap server require strong auth = no > > [netlogon] > path = /usr/local/samba/var/locks/sysvol/domain.local/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No >Apart from DC2 not having this line: idmap_ldb:use rfc2307 = yes Both smb.conf files look ok. Can you elaborate on your problem and show a few examples. Rowland
Dear Rowland, Here is an example. DC1: # getfacl /usr/local/samba/var/locks/sysvol/ getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/ # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000012:r-x user:3000025:rwx user:3000026:r-x group::rwx group:3000000:rwx group:3000012:r-x group:3000025:rwx group:3000026:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000012:r-x default:user:3000025:rwx default:user:3000026:r-x default:group::--- default:group:3000000:rwx default:group:3000012:r-x default:group:3000025:rwx default:group:3000026:r-x default:mask::rwx default:other::--- DC2: # getfacl /usr/local/samba/var/locks/sysvol/ getfacl: Removing leading '/' from absolute path names # file: usr/local/samba/var/locks/sysvol/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:3000012:r-x user:3000025:rwx user:BUILTIN\134server\040operators:r-x group::rwx group:BUILTIN\134administrators:rwx group:3000012:r-x group:3000025:rwx group:BUILTIN\134server\040operators:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:3000012:r-x default:user:3000025:rwx default:user:BUILTIN\134server\040operators:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:3000012:r-x default:group:3000025:rwx default:group:BUILTIN\134server\040operators:r-x default:mask::rwx default:other::---
On Fri, 21 Oct 2016 18:02:23 +0000 (UTC) Ricardo Pardim Claus via samba <samba at lists.samba.org> wrote:> Dear Rowland, > > Here is an example. > > DC1: > > > # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol/ > # owner: root > # group: 3000000 > user::rwx > user:root:rwx > user:3000000:rwx > user:3000012:r-x > user:3000025:rwx > user:3000026:r-x > group::rwx > group:3000000:rwx > group:3000012:r-x > group:3000025:rwx > group:3000026:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000012:r-x > default:user:3000025:rwx > default:user:3000026:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000012:r-x > default:group:3000025:rwx > default:group:3000026:r-x > default:mask::rwx > default:other::--- > > > > DC2: > > # getfacl /usr/local/samba/var/locks/sysvol/ > getfacl: Removing leading '/' from absolute path names > # file: usr/local/samba/var/locks/sysvol/ > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:3000012:r-x > user:3000025:rwx > user:BUILTIN\134server\040operators:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:3000012:r-x > group:3000025:rwx > group:BUILTIN\134server\040operators:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:3000012:r-x > default:user:3000025:rwx > default:user:BUILTIN\134server\040operators:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:3000012:r-x > default:group:3000025:rwx > default:group:BUILTIN\134server\040operators:r-x > default:mask::rwx > default:other::--- >OK, I know you say that /etc/nsswitch.conf is set up correctly, but have you also set up the libnss_winbind links on both DCs ? Rowland
> Apart from DC2 not having this line: > > idmap_ldb:use rfc2307 = yes > > Both smb.conf files look ok. > Can you elaborate on your problem and show a few examples. > > Rowland > >Surely the above line is required to obtain consistent UID, SID and name mappings on all servers? Can the OP try adding it to their DC2, restarting services, and check again? I was sure from the docs is that rfc2307 is the standard way of mapping UIDs/GIDs stored in AD to Unix UID/GIDs,,, I have the same line on all my DCs and member servers with nsswitch.conf having passwd and group as "files winbind". That is the right way to do it isn't it? Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
Dear Rowland. Your tip has been very satisfactory. The symbolic link commands to libnss_winbind I just ran on DC2.I forgot to run the following commands in the DC1: # ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/ # ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so Thanks for the support.