[Samba] BUILTIN not mapping on DC
Achim Gottinger
achim at ag-web.biz
Mon Apr 28 12:46:33 MDT 2014
Am 28.04.2014 20:29, schrieb steve:
> On Mon, 2014-04-28 at 14:18 -0400, Ryan Bair wrote:
>> I'm hoping to find another way to resolve the issue, but how did you edit
>> the uid and gids in idmap.ldb? According to `ldbsearch -H ldaps://localhost
>> cn=Account\ Operators` I already have a GID assigned.
> Hi
> DNs in idmap.ldb use the SID as the CN
>
> You already have the SID for the group you want from your search. Then:
> ldbedit --url=/path/to/privat/idmap.ldb cn=your.SID
> and replace the xidNumber attribute with the GID you have in the
> directory. Or whatever other value you want.
> HTH
> Steve
>
>
Steve kindly already explained how to edit idmal.
If you only care about GPO acl's, you may replace the acl's
BUILTIN\Administrator with Domain-Admins and BUILTIN\Autheticated Users
with Domain-Users in the windows group policy editor and run samba-tools
ntacl sysvolreset afterwards. Or give everyone read access.
On my side the problems arised becuase i use rsync to replicate sysvol
between ADDX's and since the BUILTIN users/groups are ignored on the
unix side (not showing up in getent passwd/group)
the uid's gid's are used when replicating. Since those are dynamical
assigned different on each ADDCi get read erros on my windows clients
trying to get the gpo's from ADDC other that the source addc i used for
replication.
Easiest for me was to copy idmap.ldb from my source ADDC to the target
addc's directly after joining to the domain.
An proper solution would be using the RID idmap backend for BUILTIN but
i did not get that working.
More information about the samba
mailing list