4

I have two Linux servers connected to an Active Directory Windows 2008 server using Samba/Winbind, and here is my samba config

    workgroup = COMPANY
    realm = COMPANY.COM
    server string = SAMBA-AD Server
    security = ADS
    password server = 10.1.x.x
    log level = 2
    log file = /var/log/samba/log.%m
    max log size = 50
    unix extensions = No
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template homedir = /home/%u
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307

Both are configured exactly alike, however, when I run getent group, the GIDs listed are different for both, even though the ranges are exactly the same, from 10000-20000.

On Linux server A:

domain computers:*:10011:

On Linux server B:

domain computers:*:10008:

It doesn't appear to start from 10000.

How can I synchronize the GIDs to be exact on both the Linux servers? Any help greatly appreciated!

EDIT: @larsks, I tried adding idmap_rid and this is the newest config:

    workgroup = COMPANY
    realm = COMPANY.COM
    server string = SAMBA-AD Server
    security = ADS
    password server = 10.1.xx.xx
    log file = /var/log/samba/log.%m
    max log size = 50
    unix extensions = No
    idmap config COMPANY:backend = rid
    idmap config COMPANY:base_rid = 1000
    idmap config COMPANY:range = 10000 - 20000
    template homedir = /home/%u
    template shell = /bin/bash
    winbind separator = +
    winbind enum users = Yes
    winbind enum groups = Yes
    winbind use default domain = Yes
    winbind nss info = rfc2307
    hosts allow = 127., 192.168.12., 192.168.13., 10.1.11., 10.2.,
    wide links = Yes

I removed the idmap gid = 10000-20000.

Do I need to remove the winbind enum groups = Yes ?

however, the GID remains the same even when I restart winbind / samba, after the idmap_rid additions..

Shiroi98
  • 273
  • 4
  • 5
  • 12

1 Answers1

4

You can use the idmap_rid idmap backend, which algorithmically generates ids so that there's no need to synchronize them (that is, two systems will always generate the same GID for a given group).

You can also use the LDAP idmap backend to store generated ids in a central (shared) location. This is only necessary if you're not using the idmap_rid backend.

larsks
  • 41,276
  • 13
  • 117
  • 170
  • Hi, I changed my samba config and can be seen above. Please let me know if I did something incorrect, the GID remains unchanged after a samba/winbind restart. – Shiroi98 Jul 31 '13 at 19:58
  • 1
    I suspect that Samba caches ids once they have been generated, so you'll probably have to clear the cache. I don't have a Samba installation in front of me right now so I can't tell you exactly where to look. See if you get the correct behavior for *new* groups before spending too much time trying to figure out how to clear the cache. – larsks Jul 31 '13 at 20:03
  • Hmm.. something went wrong. I type `wbinfo -g`, and it lists the groups but now `getent group` does not list the groups.. – Shiroi98 Jul 31 '13 at 21:42
  • Never mind, solved that getent group from not showing.. But I also tried to delete the samba cache: https://lists.samba.org/archive/samba/2010-May/155521.html, removing `winbind_cache.tdb` and `winbind_idmap.tdb`, restarted the services, and they came back, but the GID still shows the same GIDs – Shiroi98 Aug 01 '13 at 00:26
  • Not sure then. I don't have an active winbind environment at the moment, so I'm just working from the documentation. If I have some spare time I'll set one up, but it's not going to be today. Good luck! – larsks Aug 01 '13 at 00:28
  • I had some progress, I stopped winbind and samba, I deleted all the *.tdb and *.ldb files in the /var/lib/samba/ folder (leaving the sub-folders intact) and restarted the services. The tdb files came back and all the uid/gid's were reassigned new numbers! Now to test it across different servers to see if it matches. – Shiroi98 Aug 01 '13 at 16:15