samba-users May 2010 archive
Main Archive Page > Month Archives  > samba-users archives
samba-users: Re: [Samba] [PLUG] Problems using multiple Samba se

Re: [Samba] [PLUG] Problems using multiple Samba servers in a Win2003 AD domain - more

From: Mike Leone <turgon_at_nospam>
Date: Tue May 04 2010 - 00:21:24 GMT
To: Samba <samba@lists.samba.org>

On 05/03/2010 04:14 PM, Dale Schroeder wrote:
> On 05/02/2010 10:32 PM, Mike Leone wrote:
>> Here's what I don't understand - the user I am trying to mount shares
>> with, does not show up the same on both systems, yet the smb.confs are
>> the same.
>>
>> > From workhorse:
>>
>> $ getent passwd
>> <snip>
>> DACRIB+turgon:*:10007:10012:Mike Leone:/home/DACRIB/turgon:/bin/bash
>>
>> $ getent group
>> <snip>
>> DACRIB+domain users:x:10012:
>>
>> > From Dual-Booter:
>>
>> $ getent passwd
>> <snip>
>> DACRIB+turgon:*:10003:10000:Mike Leone:/home/DACRIB/turgon:/bin/bash
>>
>> $ getent group
>> <snip>
>> DACRIB+domain users:x:10000:
>>
>> Is this the reason I can't mount? Shouldn't the group IDs be equivalent
>> on both Samba servers, especially since the smb.confs have the same
>> settings?
>>
> Mike,
>
> Since I see you're using RID for the idmap backend,

Only because I found a web howto that recommended it. :-) Apparently, I
need the domain uid and gid to be the same on different Samba servers,
and this page recommend RID as the way to do it.

> yes, the user and
> group ID's should be the same across all Samba servers.
> I can't say if that's your only problem. You might try regenerating
> /var/cache/samba/idmap_cache.tdb on both systems to see
> which is correct. Be aware that you will have to reset directory/file
> permissions on the incorrect system after this is done.

How do I do that? Do I just stop winbind and samba; delete the
idmap_cache.tdb; and restart winbind and samba?

I believe I had started fresh, by leaving the domain; deleting all .tdb
files; rejoining the domain. But I may be mis-remembering ...

> If you only have one domain,

I do.

>you might also try the simpler, old-style idmap_rid declaration.
>
> #idmap config DACRIB:range = 10000 - 20000
> #idmap config DACRIB:backend = rid
> #idmap config DACRIB:schema_mode = rfc2307
> idmap backend = rid:DACRIB=10000-20000
>
> For testing purposes, also note that for idmap_rid, the defaults for
> "auth methods" and "winbind nss info" are usually sufficient.

I can give that a shot, sure. :-)

> Although it may not matter, there are some significant differences in
> the smb.conf's. Specifically, in Dual-Booter, you have
> set some parameters in [global] (that are normally reserved for shares)
> which are not declared in workhorse.
>
> [global]
>
> read only = No
> create mask = 0700
> directory mask = 0775
>

I can lose those, no big deal.

> Additionally, Dual-Booter has the following, but workhorse does not.
>
> invalid users = root

I am told (on another list) that I will need to use nss_ldap, if I
want(need?) to keep domain lookups consistent across Samba servers.
Using winbind for NSS only guarantees consistent uid/gids on one server.

Such conflicting information is what makes these ... less than
enjoyable. :-)

-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba