[Samba] BUILTIN not mapping on DC
Achim Gottinger
achim at ag-web.biz
Mon Apr 28 17:32:13 MDT 2014
Am 29.04.2014 01:13, schrieb steve:
> On Tue, 2014-04-29 at 00:54 +0200, Achim Gottinger wrote:
>> Am 29.04.2014 00:30, schrieb steve:
>>> On Mon, 2014-04-28 at 22:39 +0100, Rowland Penny wrote:
>>>
>>>>>> 3000000 ---> CN=S-1-5-32-544
>>>>>> 3000001 ---> CN=S-1-5-32-549
>>>>>> 3000002 ---> CN=S-1-5-18
>>>>>> 3000003 ---> CN=S-1-5-11
>>>>>>
>>>>>> now open idmap.ldb on the second DC and carry out the search with the
>>>>>> second set of numbers:
>>>>>>
>>>>>> 3000000 ---> CN=S-1-5-32-544
>>>>>> 3000012 ---> CN=S-1-5-11
>>>>>> 3000022 ---> CN=S-1-5-32-549
>>>>>> 3000023 ---> CN=S-1-5-18
>>>>>>
>>>>>> and a bit more searching finds out that:
>>>>>>
>>>>>> CN=S-1-5-32-544 ---> Administrators
>>>>>> CN=S-1-5-32-549 ---> Server Operators
>>>>>> CN=S-1-5-18 ---> Local System
>>>>>> CN=S-1-5-11 ---> Authenticated Users
>>>>>>
>>> It's unfortunate that we can't use AD for rfc2307 for these objects as
>>> we can with domain equivalents. I think the OP wants consistent values
>>> across DC's without having to run sysvol reset after syncing, in which
>>> case his copying idmap.ldb to the other DC method from the master seems
>>> like the only way to do it.
>>>
>>> Have we got that right? This thread is aiming at:
>>>
>>>>>> 3000000 ---> CN=S-1-5-32-544
>>>>>> 3000001 ---> CN=S-1-5-32-549
>>>>>> 3000002 ---> CN=S-1-5-18
>>>>>> 3000003 ---> CN=S-1-5-11
>>> for all DCs?
>>> Cheers,
>>> Steve
>> The OP has found that BUILTIN groups do not resolve on the unix side at
>> his ADDC. If they'd resolve using rsync -A would work with different
>> idmap.ldb mappings because rsync and for example nfs3 would be able to
>> do uid(source)->name(source)->name(target)->uid(target) mappings for
>> copy operations. Without an proper uid->name mapping the uid's are used
>> unodified.
>> Having identical mappings on all dc's is an workaround for the not
>> resolving issue.
>>
> OK. So we want identical uid mappings on all DCs for e.g. users, but not
> for BUILTIN\x ??
>
If the idmap_autorid backend would work for BUILTIN we'd get identical
mappings.
More information about the samba
mailing list