Viktor Trojanovic
2018-May-13  09:58 UTC
[Samba] Domain member server not getting updated AD attributes
I'm running a pure Samba AD with one Samba AD DC and one member server,
both on version 4.8.1. AD is based on idmap_ldb with rfc2307 but since I'm
using (only) Win10 clients, I have to assign all group and user numbers
manually.
This set up is not new and it's been working for years already, and still
does. Yesterday, however, I noticed that I gave two users the same
uidNumber by mistake. Those users are actually both test users, that's why
I never noticed it before.
Anyway, using the RSAT, I manually changed one of the two uidNumbers so
that each user now has a unique number.
On the DC, I can verify that this worked using wbinfo -i. Both users now
have the unique number assigned to them.
$ wbinfo -i testuser1
SAMDOM\testuser1:*:10009:10000::/home/SAMDOM/testuser1:/bin/false
$ wbinfo -i testuser2
SAMDOM\testuser2:*:10010:10000::/home/SAMDOM/testuser2:/bin/false
However, on the member server which is acting as my file server, this
change is not reflected. Both wbinfo and getent still show the same
uidNumber for both users.
I tried restarting Samba on both servers, rebooting both servers, running a
sysvolcheck and subsequent repair on the DC but nothing changes, the member
server keeps showing the wrong uidNumber.
I hope someone can enlighten me as to what I missed to do as I'm quite sure
the mistake is on my side.
For reference, here are excerpts of my two smb.conf files. If you should
find other issues with them, I'd appreciate a hint.
DC smb.conf
--------------------
[global]
    workgroup = SAMDOM
    realm = SAMDOM.EXAMPLE.COM
    netbios name = DCSERVER
    server role = active directory domain controller
    dns forwarder = 192.168.1.2
    idmap_ldb:use rfc2307 = yes
    interfaces = lo br-lxc
    bind interfaces only = Yes
[netlogon]
    path = /var/lib/samba/sysvol/samdom.example.com/scripts
    read only = No
    write ok = Yes
    acl_xattr:ignore system acls = yes
[sysvol]
    path = /var/lib/samba/sysvol
    read only = No
    write ok = Yes
    acl_xattr:ignore system acls = yes
Member Server smb.conf (without shares)
-------------------------------------
[global]
  netbios name = FILESERVER
  workgroup = SAMDOM
  security = ADS
  realm = SAMDOM.EXAMPLE.COM
  dedicated keytab file = /etc/krb5.keytab
  kerberos method = secrets and keytab
  username map = /etc/samba/samba_usermap
  idmap config *:backend = tdb
  idmap config *:range = 2000-9999
  idmap config SAMDOM:backend = ad
  idmap config SAMDOM:schema_mode = rfc2307
  idmap config SAMDOM:range = 10000-99999
  winbind nss info = rfc2307
  winbind use default domain = yes
  winbind enum users  = yes
  winbind enum groups = yes
  winbind refresh tickets = Yes
  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes
  load printers = no
  printing = bsd
  printcap name = /dev/null
Rowland Penny
2018-May-13  11:38 UTC
[Samba] Domain member server not getting updated AD attributes
On Sun, 13 May 2018 11:58:52 +0200 Viktor Trojanovic via samba <samba at lists.samba.org> wrote:> I'm running a pure Samba AD with one Samba AD DC and one member > server, both on version 4.8.1.Are you sure AD is working correctly ? I ask this because there is a bug that comes into play if try to upgrade a DC to 4.8.0.or 4.8.1 from an earlier version.> Member Server smb.conf (without shares) > ------------------------------------- > > [global]> idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > > winbind nss info = rfc2307This could be your problem,the idmap_config lines changed at 4.6.0, it should now be: idmap config SAMDOM:backend = ad idmap config SAMDOM:schema_mode = rfc2307 idmap config SAMDOM:range = 10000-99999 idmap config SAMDOM : unix_nss_info = yes You should also remove the 'winbind nss info' line Then run 'net cache flush' on the Unix domain member' Rowland
Viktor Trojanovic
2018-May-13  12:09 UTC
[Samba] Domain member server not getting updated AD attributes
Hi Rowland, On 13 May 2018 at 13:38, Rowland Penny via samba <samba at lists.samba.org> wrote:> On Sun, 13 May 2018 11:58:52 +0200 > Viktor Trojanovic via samba <samba at lists.samba.org> wrote: > > > I'm running a pure Samba AD with one Samba AD DC and one member > > server, both on version 4.8.1. > > Are you sure AD is working correctly ? > I ask this because there is a bug that comes into play if try to > upgrade a DC to 4.8.0.or 4.8.1 from an earlier version. > >I have not noticed any other issues. Users can log in, GPOs are being properly applied, the event viewer in Windows is not complaining either.. anything specific to look for? If it matters, I'm on Arch, and I only just updated Samba, most likely directly from a version pre-4.60 and not from 4.80.> > Member Server smb.conf (without shares) > > ------------------------------------- > > > > [global] > > > idmap config SAMDOM:backend = ad > > idmap config SAMDOM:schema_mode = rfc2307 > > idmap config SAMDOM:range = 10000-99999 > > > > winbind nss info = rfc2307 > > This could be your problem,the idmap_config lines changed at 4.6.0, it > should now be: > > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 10000-99999 > idmap config SAMDOM : unix_nss_info = yes > > You should also remove the 'winbind nss info' line > > Then run 'net cache flush' on the Unix domain member' > > Rowland > >That seems to have done the trick - getent finally shows the correct user number. Thanks for that. If anyone else should come accross the same issue and wants to know more, check out: https://wiki.samba.org/index.php/Idmap_config_ad Viktor