[Samba] Samba 4 Member server show diferent UID than Ad Server

So you need to configure winbindd the right way to solve this.
In deed if you have another UID it can result in "access refused".
This is an issue I treid to discuss since samba4 started and I think this should be an integrated thing in samba ads to member server
Without having admins to bother about.

Greetings
Daniel

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
eMail: ***@tropenklinik.de
Internet: www.tropenklinik.de

-----Ursprüngliche Nachricht-----
Von: Juan Ignacio [mailto:***@gmail.com]
Gesendet: Montag, 13. Juni 2016 17:32
An: ***@lists.samba.org
Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server

Hello friends, I come to ask for a hand.

I have an AD server with Samba 4.1 and added a Member Server 4.4 without problems.

The only problem I'm having is that the UID of users in the Member Server are different from the AD server.

Ad Server

KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone Domingues:/home/KENNEDY/florenciaelmone:/bin/false

Member Server

florenciaelmone:*:100002:100008:Florencia Elmone Domingues:/home/KENNEDY/florenciaelmone:/bin/false

Some way to resolve this?

Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-14 10:30:02 UTC

Without UID and / or GID configured into AD database (into LDAP tree) Samba
would give UID / GID to users and groups when needed, and as nothing is
written, Samba has to guess. This guessing process is called id mapping.

Samba does not synchronize generated file containing this ID map. No
synchronization and xID random xID fathers to xID inconsistency.

This is not necessarily an issue: with only one DC (a config I can't
approve) no issue: Sysvol is hosted by only one DC, no inconsistency when
your are alone (that's when you met people that craziness appears :). File
servers do not host same files normally: AD DC are hosting Sysvol and
NetLogon and these both shares are not hosted on file servers which are
hosting others files. Different files so no issue with rights... as long as
you don't have to make copy or displace files from server to server, in
that case that could be a mess..

Solution seems to be:
- give UID/GID to everything in AD. Your users and those in CN=BUILTIN and
CN=Users too.
- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.
- use "net cache flush" to clear idmap cache on every server (members
included). Once cache is cleared, Winbind would need to find out what
UID/GID to use, it should now rely on UID:GID declared into AD database and
the issue should disappear.

Post by Mueller
So you need to configure winbindd the right way to solve this.
In deed if you have another UID it can result in "access refused".
This is an issue I treid to discuss since samba4 started and I think this
should be an integrated thing in samba ads to member server
Without having admins to bother about.
Greetings
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Gesendet: Montag, 13. Juni 2016 17:32
Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server
Hello friends, I come to ask for a hand.
I have an AD server with Samba 4.1 and added a Member Server 4.4 without problems.
The only problem I'm having is that the UID of users in the Member Server
are different from the AD server.
Ad Server
KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
Domingues:/home/KENNEDY/florenciaelmone:/bin/false
Member Server
florenciaelmone:*:100002:100008:Florencia Elmone
Domingues:/home/KENNEDY/florenciaelmone:/bin/false
Some way to resolve this?
Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Juan Ignacio

2016-06-14 15:00:02 UTC

I like the idea.

- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.

But in my Domain Controler I do not find this file.

I found the file in the AD DC.

There any way to avoid adding UID users, or impossible without doing this.
They are as 300 users.

Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

Post by mathias dufresne
Without UID and / or GID configured into AD database (into LDAP tree) Samba
would give UID / GID to users and groups when needed, and as nothing is
written, Samba has to guess. This guessing process is called id mapping.
Samba does not synchronize generated file containing this ID map. No
synchronization and xID random xID fathers to xID inconsistency.
This is not necessarily an issue: with only one DC (a config I can't
approve) no issue: Sysvol is hosted by only one DC, no inconsistency when
your are alone (that's when you met people that craziness appears :). File
servers do not host same files normally: AD DC are hosting Sysvol and
NetLogon and these both shares are not hosted on file servers which are
hosting others files. Different files so no issue with rights... as long as
you don't have to make copy or displace files from server to server, in
that case that could be a mess..
- give UID/GID to everything in AD. Your users and those in CN=BUILTIN and
CN=Users too.
- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.
- use "net cache flush" to clear idmap cache on every server (members
included). Once cache is cleared, Winbind would need to find out what
UID/GID to use, it should now rely on UID:GID declared into AD database and
the issue should disappear.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

mathias dufresne

2016-06-14 15:20:02 UTC

Post by Juan Ignacio
I like the idea.
- synchronize private/idmap.ldb across your DC at least (they all host
Sysvol, sysvol is rsynced, here you can have issues with UID/GID). Members
servers seem to not have that file.
But in my Domain Controler I do not find this file.

I expect you meant "domain member" rather tha "domain controller". Domain
member don't have that file.

Post by Juan Ignacio
I found the file in the AD DC.

Yep it exists on AD DC.

Post by Juan Ignacio
There any way to avoid adding UID users, or impossible without doing this.
They are as 300 users.

As I explained below (previous mail) the fact UID/GID are not the same
between DC and file servers is not necessarily an issue: these UID/GID are
used by Samba to translate Windows identity to UNIX identity (Windows users
from Windows clients accessing Windows shares hosted by Samba, on Linux
system and so hosted by Linux file system, rights on Linux FS are done
using UID/GID).

Now if you are a bit lost with all these rights management or if you want
limit risk in future (more DC, using DFS or whatever) the simpler is to set
up UID and GID to every users and every groups.

You will have to set up GID on groups first, then UID (and GID) on users if
you do that manually using ADUC (at least it was the case I believe when I
tested).

To avoid doing that manually: script it! Chaining ldbsearch to list groups
then to list users, awk to read the result of ldbsearch and to write
resultant LDIF file.

Then you run one command: ldbmodify -H $sam
/path/to/your/newly/created/file/ldif
This command should modify all users and groups as defined into LDIF file,
adding uidNumber and/or gidNumber to groups and users if the script is
correct enough.

Have fun ;)

Post by Juan Ignacio
Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

this

Post by Mueller
should be an integrated thing in samba ads to member server
Without having admins to bother about.
Greetings
Daniel
EDV Daniel Müller
Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen
Tel.: 07071/206-463, Fax: 07071/206-499
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Gesendet: Montag, 13. Juni 2016 17:32
Betreff: [Samba] Samba 4 Member server show diferent UID than Ad Server
Hello friends, I come to ask for a hand.
I have an AD server with Samba 4.1 and added a Member Server 4.4 without problems.
The only problem I'm having is that the UID of users in the Member

Server

Post by Mueller
are different from the AD server.
Ad Server
KENNEDY\florenciaelmone:*:3000679:100:Florencia Elmone
Domingues:/home/KENNEDY/florenciaelmone:/bin/false
Member Server
florenciaelmone:*:100002:100008:Florencia Elmone
Domingues:/home/KENNEDY/florenciaelmone:/bin/false
Some way to resolve this?
Thanks.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland penny

2016-06-14 15:30:01 UTC

idmap.ldb is only used on a Samba 4 AD DC, but the contents can be and
and very often are different on each DC.

Post by Juan Ignacio
But in my Domain Controler I do not find this file.
I found the file in the AD DC.

I don't quite understand this, you have a domain controller that doesn't
have an idmap.ldb file, is this a windows domain controller ?

The idmap.ldb file you found, was this on a secondary AD DC ?

Post by Juan Ignacio
There any way to avoid adding UID users, or impossible without doing this.
They are as 300 users.

On a domain member, yes.
On a Samba AD DC, yes
There is a problem however, your users on the DC would get a different
UID compared to the domain member. the same goes for groups.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Juan Ignacio

2016-06-14 15:50:02 UTC

The structure is as follows.

AD DC (Samba 4.1)------------------- Member DC (Samba 4.4)

private/idmap.ldb ----------------- not private/idmap.ldb

The idmap.ldb file you found, was this on a secondary AD DC ?

-No the idmap.ldb i found was in the primary AD DC, im not have a
secondary AD DC, i also have a Member DC.

idmap.ldb is only used on a Samba 4 AD DC, but the contents can be and and
very often are different on each DC.

Post by Juan Ignacio
But in my Domain Controler I do not find this file.
I found the file in the AD DC.

I don't quite understand this, you have a domain controller that doesn't
have an idmap.ldb file, is this a windows domain controller ?
The idmap.ldb file you found, was this on a secondary AD DC ?

Post by Juan Ignacio
There any way to avoid adding UID users, or impossible without doing this.
They are as 300 users.

On a domain member, yes.
On a Samba AD DC, yes
There is a problem however, your users on the DC would get a different UID
compared to the domain member. the same goes for groups.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Rowland penny

2016-06-14 16:00:02 UTC

Post by Juan Ignacio
The structure is as follows.
AD DC (Samba 4.1)------------------- Member DC (Samba 4.4)
private/idmap.ldb ----------------- not private/idmap.ldb
The idmap.ldb file you found, was this on a secondary AD DC ?
-No the idmap.ldb i found was in the primary AD DC, im not have a
secondary AD DC, i also have a Member DC.

If you created the 'Member DC' by provisioning it with samba-tool, can I
suggest you remove it from the domain, then rejoin it as a secondary DC.
Whilst you 'can' provision a 'Member DC' with samba-tool, it isn't
really a 'Member DC', it doesn't work correctly. You can only provision
a DC with samba-tool, everything else is depreciated and could be and
probably will be removed when 4.6.0 comes out (the release after next)

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Juan Ignacio

2016-06-14 16:10:01 UTC

No, im not provisioning it with samba-tool im provision folowing the Samba
Documentation.

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member

Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

If you created the 'Member DC' by provisioning it with samba-tool, can I
suggest you remove it from the domain, then rejoin it as a secondary DC.
Whilst you 'can' provision a 'Member DC' with samba-tool, it isn't really
a 'Member DC', it doesn't work correctly. You can only provision a DC with
samba-tool, everything else is depreciated and could be and probably will
be removed when 4.6.0 comes out (the release after next)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Carlos A. P. Cunha

2016-06-14 16:10:01 UTC

Hello
I also have a DC and Member server (separately) using RID is the same
displays Ids different between the two ...

Post by Juan Ignacio
No, im not provisioning it with samba-tool im provision folowing the Samba
Documentation.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

If you created the 'Member DC' by provisioning it with samba-tool, can I
suggest you remove it from the domain, then rejoin it as a secondary DC.
Whilst you 'can' provision a 'Member DC' with samba-tool, it isn't really
a 'Member DC', it doesn't work correctly. You can only provision a DC with
samba-tool, everything else is depreciated and could be and probably will
be removed when 4.6.0 comes out (the release after next)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Juan Ignacio

2016-06-14 16:20:01 UTC

Anyway everything seems to work well.
The shares are correctly and users recognize them without problems. getent
and wbinfo.

The main problem is that apparently the Member DC does not get the UID
properly containing the user in the ADDC.

There is something that can change in the smb.conf the Member DC, I
remember a few years ago with the same AD DC we get the UID correctly.

If you created the 'Member DC' by provisioning it with samba-tool, can I
suggest you remove it from the domain, then rejoin it as a secondary DC.
Whilst you 'can' provision a 'Member DC' with samba-tool, it isn't really
a 'Member DC', it doesn't work correctly. You can only provision a DC with
samba-tool, everything else is depreciated and could be and probably will
be removed when 4.6.0 comes out (the release after next)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Edson Tadeu Almeida da Silveira via samba

2016-09-23 00:10:01 UTC

I'm having the same problem and i can't find the solution.

How are you about this ?

Tks!!

Post by Juan Ignacio
Anyway everything seems to work well.
The shares are correctly and users recognize them without problems. getent
and wbinfo.
The main problem is that apparently the Member DC does not get the UID
properly containing the user in the ADDC.
There is something that can change in the smb.conf the Member DC, I
remember a few years ago with the same AD DC we get the UID correctly.

Post by Juan Ignacio
No, im not provisioning it with samba-tool im provision folowing the

Samba

Post by Juan Ignacio
Documentation.
https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
Analista Inf.
Juan Ignacio Pazos
<http://www.linkedin.com/pub/juan-ignacio-pazos-lorenzo/19/9b9/26a>

really

Post by Rowland penny
a 'Member DC', it doesn't work correctly. You can only provision a DC

with

Post by Rowland penny
samba-tool, everything else is depreciated and could be and probably

will

Post by Rowland penny
be removed when 4.6.0 comes out (the release after next)
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

--
-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lis

mathias dufresne via samba

2016-10-03 15:10:01 UTC

Hi,

We finally decided to synchronize idmap.ldb using rsync.
We also have added UID and/or GID to every user and groups, even those in
cn=builtin and cn=users.

That was done several months ago and since we do not encounter any issue in
GPO.

I read here there are others possibilities, that's the one we choose and it
seems to work.

Cheers,

Mathias

2016-09-23 1:58 GMT+02:00 Edson Tadeu Almeida da Silveira via samba <

Post by Edson Tadeu Almeida da Silveira via samba
I'm having the same problem and i can't find the solution.
How are you about this ?
Tks!!

Post by Juan Ignacio
Anyway everything seems to work well.
The shares are correctly and users recognize them without problems.

getent

Post by Juan Ignacio
and wbinfo.
The main problem is that apparently the Member DC does not get the UID
properly containing the user in the ADDC.
There is something that can change in the smb.conf the Member DC, I
remember a few years ago with the same AD DC we get the UID correctly.

Post by Juan Ignacio
No, im not provisioning it with samba-tool im provision folowing the

Samba

If you created the 'Member DC' by provisioning it with samba-tool,

can I

Post by Rowland penny
suggest you remove it from the domain, then rejoin it as a secondary

DC.

Post by Rowland penny
Whilst you 'can' provision a 'Member DC' with samba-tool, it isn't

really

Post by Rowland penny
a 'Member DC', it doesn't work correctly. You can only provision a DC

with

Post by Rowland penny
samba-tool, everything else is depreciated and could be and probably

will