get idmap not in sync for Unix UID/GID with Samba PDC / FreeNAS

[nielsd]

Hi all,


old PDC + AD
we have a Samba PDC ("server") with AD (managed by Windows RSAT) with Roaming Profiles on a old "FreeNAS 10".

Code:

[root@server] ~# wbinfo -i "SRG2\niels"
SRG2\niels:*:3000187:20:

The "server" config

Code:

[global]
    server min protocol = CORE
    server max protocol = SMB3
    encrypt passwords = yes
    dns proxy = no
    strict locking = no
    oplocks = yes
    deadtime = 15
    max log size = 51200
    max open files = 941843
    logging = file
    load printers = no
    printing = bsd
    printcap name = /dev/null
    disable spoolss = yes
    getwd cache = yes
    guest account = nobody
    map to guest = Bad User
    obey pam restrictions = yes
    directory name cache size = 0
    kernel change notify = no
    panic action = /usr/local/libexec/samba/samba-backtrace
    nsupdate command = /usr/local/bin/samba-nsupdate -g
    server string = SRG Server (neu)
    ea support = yes
    store dos attributes = yes
    lm announce = yes
    time server = yes
    null passwords = yes
    acl allow execute always = true
    dos filemode = yes
    multicast dns register = yes
    domain logons = yes
    local master = yes
    idmap config *: backend = tdb
    idmap config *: range = 1000-100000000
    server role = active directory domain controller
    netbios name = SERVER
    workgroup = SRG2
    realm = SRG2.LOCAL
    dns forwarder = 192.168.123.254
    idmap_ldb:use rfc2307 = yes
    create mask = 0660
    directory mask = 0770
    client ntlmv2 auth = yes
    dos charset = CP437
    unix charset = UTF-8
    log level = 2
    tls enabled  = yes
    tls keyfile  = tls/key.pem
    tls certfile = tls/cert.pem
    tls cafile   = tls/ca.pem
    logon path   = \\%L\profiles\%U
    logon drive  = L:
    preexec = /mnt/pool/admin_tools/sbin/netlogon_create %U
    nsupdate command = samba_dnsupdate
    wins support = yes
    unix extensions = no


[sysvol]
    path = /var/db/samba4/sysvol
    read only = no
    vfs objects = zfs_space zfsacl
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[netlogon]
    path = /var/db/samba4/sysvol/srg2.local/scripts
    read only = no
    vfs objects = zfs_space zfsacl
    nfs4:mode = special
    nfs4:acedup = merge
    nfs4:chown = true
    zfsacl:acesort = dontcare


[antivir]
    path = ...
...

Joined a second / new PDC+ AD
I've added a new redundant Samba PDC with AD ("pdc2") to the Domain just by join which syncs fine with the old Samba PDC / AD and providing the same Unix UIDs/GIDs:

Code:

root@pdc2:~ # wbinfo -i "SRG2\niels"
SRG2\niels:*:3000187:20:

The PDC2 config (as default / auto created by samba init):

Code:

root@pdc2:~ # cat /usr/local/etc/smb4.conf
# Global parameters
[global]
        netbios name = PDC2
        realm = SRG2.LOCAL
        server role = active directory domain controller
        workgroup = SRG2

### added by me
        wins support = yes

        # allow enumeration of winbind users and groups
        winbind enum users = yes
        winbind enum groups = yes
### end

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

[netlogon]
        path = /var/db/samba4/sysvol/srg2.local/scripts
        read only = No

Join new TrueNAS as NAS (only reads users/groups from AD)

but when i try to attach a new TrueNAS system - it should provide Samba shares - i'm unable to "match" the Unix UID/GID idmap-ping in any way (while TrueNAS persist to set idmaps in the config):

Code:

root@nas3:~ # wbinfo -i "SRG2\niels"
wbinfo -i "SRG2\niels"
SRG2\niels:*:1001333:1000513::

I tried to play with RID as AUTORID but did not provide consistent UID/GIDs.

How can i caclulate the correct RID? The official docs are very diffuse to me how to get and calculate the correct ranges.
Or does Any other IDMAP mech suits here better?

TrueNAS (nas3) should only provide NAS shares (from ZFS) with the Users/Groups from AD without any local/own user management.


many thanks,


niels.