[Samba] BUILTIN not mapping on DC

Achim Gottinger achim at ag-web.biz
Mon Apr 28 12:46:33 MDT 2014


Am 28.04.2014 20:29, schrieb steve:
> On Mon, 2014-04-28 at 14:18 -0400, Ryan Bair wrote:
>> I'm hoping to find another way to resolve the issue, but how did you edit
>> the uid and gids in idmap.ldb? According to `ldbsearch -H ldaps://localhost
>> cn=Account\ Operators` I already have a GID assigned.
> Hi
> DNs in idmap.ldb use the SID as the CN
>
> You already have the SID for the group you want from your search. Then:
> ldbedit --url=/path/to/privat/idmap.ldb cn=your.SID
> and replace the xidNumber attribute with the GID you have in the
> directory. Or whatever other value you want.
> HTH
> Steve
>
>
Steve kindly already explained how to edit idmal.

If you only care about GPO acl's, you may replace the acl's 
BUILTIN\Administrator with Domain-Admins and BUILTIN\Autheticated Users 
with Domain-Users in the windows group policy editor and run samba-tools 
ntacl sysvolreset afterwards. Or give everyone read access.
On my side the problems arised becuase i use rsync to replicate sysvol 
between ADDX's and since the BUILTIN users/groups are ignored on the 
unix side (not showing up in getent passwd/group)
the uid's gid's are used when replicating. Since those are dynamical 
assigned different on each ADDCi get read erros on my windows clients 
trying to get the gpo's from ADDC other that the source addc i used for 
replication.
Easiest for me was to copy idmap.ldb from my source ADDC to the target 
addc's directly after joining to the domain.
An proper solution would be using the RID idmap backend for BUILTIN but 
i did not get that working.


More information about the samba mailing list