wellknown and uid/gid interactions on multi DC samba AD domain

Rowland Penny repenny241155 at gmail.com
Wed May 14 07:02:21 MDT 2014 

On 14/05/14 13:57, Daniele Dario wrote:
>
> On mer, 2014-05-14 at 13:36 +0100, Rowland Penny wrote:
>> On 14/05/14 13:26, Daniele Dario wrote:
>>> Hi again,
>>>
>>> On mer, 2014-05-14 at 12:33 +0200, steve wrote:
>>>> On Wed, 2014-05-14 at 12:23 +0200, Daniele Dario wrote:
>>>>> Now as you said the uids/gids are the same on the 2 DCs so again thanks.
>>>>>
>>>> Well done.
>>>>
>>>>> I have a question about the sysvol: I noticed that the group of the
>>>>> sysvol folder is different on the two DCs.
>>>>> On the 1st DC (4.1.0):
>>>>> [root at kdc01:locks]# ls -n sysvol/
>>>>> total 8
>>>>> drwxrwx---+ 4 0 4 4096 Sep 24  2012 saitel.loc
>>>>>
>>>>> On the 2nd DC (4.1.7):
>>>>> [root at kdc03:locks]# ls -n sysvol/
>>>>> total 8
>>>>> drwxrwx---+ 4 0 3000000 4096 May  8 16:18 saitel.loc
>>>>>
>>>>> [root at kdc03:locks]# wbinfo -G 3000000
>>>>> S-1-5-32-544
>>>>> [root at kdc03:locks]# wbinfo -s S-1-5-32-544
>>>>> BUILTIN\Administrators 4
>>>>>
>>>>> If I read it correctly BUILTIN\Administrators should be mapped as 4 so
>>>>> same as on the other one.
>>>> What does S-1-5-32-544 look like in the respective idmap.ldb dbs?
>>> On kdc01 I get
>>> # record 53
>>> dn: CN=S-1-5-32-544
>>> cn: S-1-5-32-544
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-544
>>> type: ID_TYPE_GID
>>> xidNumber: 4
>>> distinguishedName: CN=S-1-5-32-544
>> Have you altered idmap.ldb ?? if you find 'idmap_init.ldif' on your
>> system, it should contain this:
>>
>> dn: CN=CONFIG
>> cn: CONFIG
>> lowerBound: 3000000
>> upperBound: 4000000
>>
>> dn: @INDEXLIST
>> @IDXATTR: xidNumber
>> @IDXATTR: objectSid
>>
>> and '4' is a lot lower than '3000000' ;-)
>>
>> Rowland
>>
> No I didn't. Would it be possible that when I provisioned the domain
> (can't remember the right number but it was one of the latest alpha
> releases) it was different?

Possibly, I think that we need to find out just what version you are 
running, 'samba -V' should give us this.

>
> And what about the difference in type? On the older I have type:
> ID_TYPE_GID and in the newly added I have type: ID_TYPE_BOTH.

I seem to remember there being a problem like this, but cannot remember 
just when.

Rowland

> Daniele.
>

More information about the samba-technical mailing list