wellknown and uid/gid interactions on multi DC samba AD domain

Rowland Penny repenny241155 at gmail.com
Wed May 14 06:04:31 MDT 2014

On 14/05/14 12:55, steve wrote:
> On Wed, 2014-05-14 at 12:32 +0100, Rowland Penny wrote:
>>> [root at kdc03:locks]# wbinfo -G 3000000
>>> S-1-5-32-544
>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
>>> BUILTIN\Administrators 4
>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
>>> same as on the other one.
>>> Did I forgot something?
>>> Regards,
>>> Daniele.
>> Hi, you never posted just what distro you are using (or if you did, I
>> missed it), but mapping Administrators to '4' is not a good idea, I
>> learnt the hard way with 'Domain Users' !!
> Hi.
> AFAICT, no. He has BUILTIN\Administrators mapped to 4:3000000
> We _think_ a sysvolreset should sort it out but unless you transfer the
> idmap db from the first DC just before you start the second DC for the
> first time, the mappings could be different. It's the 'could be' that
> messes up a lot of GPO stuff if the other DC is consulted. It can ock
> you out from your redirected desktop for example. It's essential to map
> perfectly if you are rsyncing.
> Cheers,
> Steve
OOPS, yes you are right and you are also correct about the mappings 
being different between DC's . That is a pain, they tell you that you 
must use rsync to preserve your permissions but then when you do the 
permissions are wrong because of different user mappings, sigh, you just 
can't win ;-)


More information about the samba-technical mailing list