wellknown and uid/gid interactions on multi DC samba AD domain
steve
steve at steve-ss.com
Wed May 14 06:30:03 MDT 2014
On Wed, 2014-05-14 at 13:04 +0100, Rowland Penny wrote:
> On 14/05/14 12:55, steve wrote:
> > On Wed, 2014-05-14 at 12:32 +0100, Rowland Penny wrote:
> >
> >>> [root at kdc03:locks]# wbinfo -G 3000000
> >>> S-1-5-32-544
> >>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
> >>> BUILTIN\Administrators 4
> >>>
> >>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
> >>> same as on the other one.
> >>>
> >>> Did I forgot something?
> >>>
> >>> Regards,
> >>> Daniele.
> >>>
> >> Hi, you never posted just what distro you are using (or if you did, I
> >> missed it), but mapping Administrators to '4' is not a good idea, I
> >> learnt the hard way with 'Domain Users' !!
> > Hi.
> > AFAICT, no. He has BUILTIN\Administrators mapped to 4:3000000
> >
> > We _think_ a sysvolreset should sort it out but unless you transfer the
> > idmap db from the first DC just before you start the second DC for the
> > first time, the mappings could be different. It's the 'could be' that
> > messes up a lot of GPO stuff if the other DC is consulted. It can ock
> > you out from your redirected desktop for example. It's essential to map
> > perfectly if you are rsyncing.
> > Cheers,
> > Steve
> >
> OOPS, yes you are right and you are also correct about the mappings
> being different between DC's . That is a pain, they tell you that you
> must use rsync to preserve your permissions but then when you do the
> permissions are wrong because of different user mappings, sigh, you just
> can't win ;-)
>
> Rowland
We think that the idmap.ldb transfer is the only way to do it at the
moment if you are rsync'ing.
sysvol replication is on the next goals wiki:
https://wiki.samba.org/index.php/Samba_Next_Goals
But we're moving away from the OP.
More information about the samba-technical
mailing list