wellknown and uid/gid interactions on multi DC samba AD domain

steve steve at steve-ss.com
Wed May 14 05:55:32 MDT 2014

On Wed, 2014-05-14 at 12:32 +0100, Rowland Penny wrote:

> > [root at kdc03:locks]# wbinfo -G 3000000
> > S-1-5-32-544
> > [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> >
> > If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> > same as on the other one.
> >
> > Did I forgot something?
> >
> > Regards,
> > Daniele.
> >
> Hi, you never posted just what distro you are using (or if you did, I 
> missed it), but mapping Administrators to '4' is not a good idea, I 
> learnt the hard way with 'Domain Users' !!

AFAICT, no. He has BUILTIN\Administrators mapped to 4:3000000

We _think_ a sysvolreset should sort it out but unless you transfer the
idmap db from the first DC just before you start the second DC for the
first time, the mappings could be different. It's the 'could be' that
messes up a lot of GPO stuff if the other DC is consulted. It can ock
you out from your redirected desktop for example. It's essential to map
perfectly if you are rsyncing.

More information about the samba-technical mailing list