[Samba] UID/GID -> SID -> NAME mapping across multiple DCs

Taylor Hammerling thammerling at tcsbasys.com
Fri Dec 15 17:09:38 UTC 2017 

This isn't necessarily an issue (I don't think) but more so a curiosity.

How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4 across
multiple DCs?

I set up my DCs using Louis' how tos (
https://github.com/thctlo/samba4/tree/master/howtos).

All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes"

My policies folder under \sysvol\domainname\  has permissions of

# file: Policies/
# owner: root
# group: 3000000
user::rwx
group::r-x
other::r-x

and the folders below the policies folder have permissions like this

393060 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{3010F9BE-44ED-474B-B1A4-97126DF3D2B2}
393073 drwxrwx---+ 4 3000008 3000008  4096 Dec 12 09:26
{31B2F340-016D-11D2-945F-00C04FB984F9}
393084 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{6AC1786C-016F-11D2-945F-00C04FB984F9}
393093 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{9BDC0BE2-5A5E-411F-81E5-6450803FA20D}
393100 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{9FCBF966-79B8-4E1B-9E96-EE950FD00731}
393108 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
{F175AAA1-AA6D-4A0F-BD42-9321BAA3061E}
393006 drwxr-xr-x  3 3000000 users   12288 Dec 12 09:26 PolicyDefinitions

I have three DCs, dc1, dc2 and dc3

I ran some wbinfo's on all my DCs to check if the UIDs lined up with the
same SIDs on each DC, and the results were confusing.

DC1======------
root at dc1 /# wbinfo -U 3000000
S-1-5-32-544
root at dc1 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root at dc1 /# wbinfo -G 3000000
S-1-5-32-544
root at dc1 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root at dc1 /# wbinfo -U 3000008
S-1-5-21-2360315722-3846793618-1593657947-572
root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
TCSBASYS\Denied RODC Password Replication Group 4
root at dc1 /# wbinfo -G 3000008
S-1-5-21-2360315722-3846793618-1593657947-572
root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
TCSBASYS\Denied RODC Password Replication Group 4

DC2======------
root at dc2 /# wbinfo -U 3000000
S-1-5-32-544
root at dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root at dc2 /# wbinfo -G 3000000
S-1-5-32-544
root at dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root at dc2 /# wbinfo -U 3000008
S-1-5-21-2360315722-3846793618-1593657947-512
root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
TCSBASYS\Domain Admins 2
root at dc2 /# wbinfo -G 3000008
S-1-5-21-2360315722-3846793618-1593657947-512
root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
TCSBASYS\Domain Admins 2


DC3======------
root at dc2 /# wbinfo -U 3000000
S-1-5-32-544
root at dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root at dc2 /# wbinfo -G 3000000
S-1-5-32-544
root at dc2 /# wbinfo -s S-1-5-32-544
BUILTIN\Administrators 4
root at dc3 /# wbinfo -U 3000008
S-1-5-64-10
root at dc3 /# wbinfo -s S-1-5-64-10
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-64-10
root at dc3 /# wbinfo -G 3000008
S-1-5-64-10
root at dc3 /# wbinfo -s S-1-5-64-10
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-64-10


Any help/insight you can provide would be greatly appreciated!

Thanks and have a super Friday!

-- 
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com

More information about the samba mailing list