[Samba] Proper sysvol replication solution...

Rowland Penny rowlandpenny at googlemail.com
Fri Aug 22 15:57:42 MDT 2014

On 22/08/14 22:48, Achim Gottinger wrote:
> Am 22.08.2014 23:26, schrieb Rowland Penny:
>> On 22/08/14 22:12, Achim Gottinger wrote:
>>> Am 22.08.2014 22:58, schrieb Rowland Penny:
>>>> On 22/08/14 21:46, Achim Gottinger wrote:
>>>>> Am 22.08.2014 22:28, schrieb Rowland Penny:
>>>>>> On 22/08/14 20:57, Achim Gottinger wrote:
>>>>>>> Am 22.08.2014 21:16, schrieb Rowland Penny:
>>>>>>>> On 22/08/14 19:51, Achim Gottinger wrote:
>>>>>>>>> Am 22.08.2014 20:31, schrieb Rowland Penny:
>>>>>>>>>> On 22/08/14 18:40, Achim Gottinger wrote:
>>>>>>>>>>> Am 22.08.2014 17:09, schrieb Rowland Penny:
>>>>>>>>>>>> On 22/08/14 16:03, L.P.H. van Belle wrote:
>>>>>>>>>>>>> when i look on my sysvol and subfolders
>>>>>>>>>>>>> and
>>>>>>>>>>>>> getfacl /home/samba/sysvol/internal.domain.tld/
>>>>>>>>>>>>> the on both servers is the same.
>>>>>>>>>>>>> and when i look from within windows both shares are exacly 
>>>>>>>>>>>>> the same with rights.
>>>>>>>>>>>>> share files and folders.
>>>>>>>>>>>>> maybe im lucky ;-)
>>>>>>>>>>>> Lucky ?? that's nearly impossible, I bet you win everything 
>>>>>>>>>>>> you enter ;-)
>>>>>>>>>>>>> no, i dont need these mappings imo since i dont have any 
>>>>>>>>>>>>> linux/unix user to the sysvol share.
>>>>>>>>>>>>> makes life lot easier..
>>>>>>>>>>>> Yes but it doesn't just affect sysvol, it can affect any 
>>>>>>>>>>>> share.
>>>>>>>>>>>> Rowland
>>>>>>>>>>>>> Louis
>>>>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>>>>> Van: ryana at reachtechfp.com
>>>>>>>>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>>>>>>>>>>> Verzonden: vrijdag 22 augustus 2014 16:47
>>>>>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>>>>>> Onderwerp: Re: [Samba] Proper sysvol replication solution...
>>>>>>>>>>>>>> Domain users don't enter the equation here though. We're 
>>>>>>>>>>>>>> talking the
>>>>>>>>>>>>>> "well-known" RID's like Rowland just mentioned. In other 
>>>>>>>>>>>>>> words, if my
>>>>>>>>>>>>>> "Authenticated Users" is XID 30001 on DC1 but it is 30009 
>>>>>>>>>>>>>> on DC2, I
>>>>>>>>>>>>>> would not want to clone the UID/GID info from DC1 to DC2, 
>>>>>>>>>>>>>> only
>>>>>>>>>>>>>> the files
>>>>>>>>>>>>>> and directories. That where the "idmap.ldb" file comes 
>>>>>>>>>>>>>> into play.
>>>>>>>>>>>>>> Apparently it is created with random XID's when Samba is
>>>>>>>>>>>>>> configured and
>>>>>>>>>>>>>> ran for the first time on each machine. Does your script 
>>>>>>>>>>>>>> copy those
>>>>>>>>>>>>>> UID/GID numbers over? If so, I was under the impression 
>>>>>>>>>>>>>> that such a
>>>>>>>>>>>>>> thing was bad.
>>>>>>>>>>>>>> I am currently setting up two virtual machines 
>>>>>>>>>>>>>> (VirtualBox) to
>>>>>>>>>>>>>> play with
>>>>>>>>>>>>>> your script. I want to understand how it works and this 
>>>>>>>>>>>>>> way I am not
>>>>>>>>>>>>>> worried about destroying a client's domain while I am 
>>>>>>>>>>>>>> toying around.
>>>>>>>>>>>>>> On 08/22/2014 10:34 AM, L.P.H. van Belle wrote:
>>>>>>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>>>>>>> Van: ryana at reachtechfp.com
>>>>>>>>>>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan Ashley
>>>>>>>>>>>>>>>> Verzonden: vrijdag 22 augustus 2014 15:30
>>>>>>>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>>>>>>>> Onderwerp: Re: [Samba] Proper sysvol replication 
>>>>>>>>>>>>>>>> solution...
>>>>>>>>>>>>>>>> I know it is, on purpose. Copying the ACLs from one DC to
>>>>>>>>>>>>>>>> another is bad
>>>>>>>>>>>>>>>> because for some reason each DC may have a different ID 
>>>>>>>>>>>>>>>> for
>>>>>>>>>>>>>>>> the built-in
>>>>>>>>>>>>>>>> accounts. In fact I believe it was Rowland who was 
>>>>>>>>>>>>>>>> saying something
>>>>>>>>>>>>>>>> about copying the "idmap.tdb" file over if you sync the 
>>>>>>>>>>>>>>>> ACLs.
>>>>>>>>>>>>>>>> My method
>>>>>>>>>>>>>>>> only copies over the files and directories so no ACLs get
>>>>>>>>>>>>>>>> screwy. Maybe
>>>>>>>>>>>>>>>> Rowland can reiterate what he said on the other thread.
>>>>>>>>>>>>>>> Yes, your right, it can be different if you dont keep de 
>>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> default settings.
>>>>>>>>>>>>>>> Which should be ok. I dont have any reason to change the
>>>>>>>>>>>>>> acls on sysvol.
>>>>>>>>>>>>>>> And i only use my ADDC as DC and not as file server so i
>>>>>>>>>>>>>> dont have any idmap problems.
>>>>>>>>>>>>>>> And i only use windows users to access these shares.
>>>>>>>>>>>>>>> No linux users or what have access to these machines. only
>>>>>>>>>>>>>> me as linux user and windows user.
>>>>>>>>>>>>>>> and that are 2 different accounts. my linux user is only 
>>>>>>>>>>>>>>> use
>>>>>>>>>>>>>> to maintain the system.
>>>>>>>>>>>>>>>> I actually did use rsync for a while and then realized 
>>>>>>>>>>>>>>>> I was
>>>>>>>>>>>>>>>> messing up
>>>>>>>>>>>>>>>> after several machines stopped being able to access the 
>>>>>>>>>>>>>>>> sysvol
>>>>>>>>>>>>>>>> share on
>>>>>>>>>>>>>>>> the second DC. When I ran "samba-tool ntacl 
>>>>>>>>>>>>>>>> sysvolcheck" it
>>>>>>>>>>>>>>>> would crash.
>>>>>>>>>>>>>>>> I ran a reset and all was good, until the next rsync. I
>>>>>>>>>>>>>>>> finally figured
>>>>>>>>>>>>>>>> it out and removed rsync and the rsync cron job.
>>>>>>>>>>>>>>>> So tell me, why are you using rsync and unison? I am 
>>>>>>>>>>>>>>>> also trying to
>>>>>>>>>>>>>>>> figure out how your script figures out which way to use 
>>>>>>>>>>>>>>>> rsync
>>>>>>>>>>>>>>>> (DC1->DC2
>>>>>>>>>>>>>>>> or DC2->DC1) based on what changes are on each DC. In 
>>>>>>>>>>>>>>>> other
>>>>>>>>>>>>>>>> words, would
>>>>>>>>>>>>>>>> your script work if a directory and file was created on 
>>>>>>>>>>>>>>>> DC1 AND a
>>>>>>>>>>>>>>>> directory was removed on DC2? Would the new stuff get 
>>>>>>>>>>>>>>>> copied
>>>>>>>>>>>>>>>> to DC2 and
>>>>>>>>>>>>>>>> would the directory be removed on DC1? Forgive me, but 
>>>>>>>>>>>>>>>> I am
>>>>>>>>>>>>>> not a bash
>>>>>>>>>>>>>>>> scripting god. I know the basics and can get my work 
>>>>>>>>>>>>>>>> done, but
>>>>>>>>>>>>>>>> I am not
>>>>>>>>>>>>>>>> understanding how your script does two-way stuff via the
>>>>>>>>>>>>>> rsync portion.
>>>>>>>>>>>>>>> Well normal questions.. so
>>>>>>>>>>>>>>> If a file is remove from sysvol on DC1 it removes it 
>>>>>>>>>>>>>>> also from DC2.
>>>>>>>>>>>>>>> If at the same time a folder or file was remove from DC2
>>>>>>>>>>>>>> then it does the same with it on DC1.
>>>>>>>>>>>>>>> just test it.. you see.
>>>>>>>>>>>>>>> And best tip of the day.. make a backup of your sysvol
>>>>>>>>>>>>>> before you start,
>>>>>>>>>>>>>>> when you rest things and you forget to remove the unison
>>>>>>>>>>>>>> hash files you can delete you sysvol..
>>>>>>>>>>>>>>> we need rsync to create the directory structure with
>>>>>>>>>>>>>> extended attributes,
>>>>>>>>>>>>>>> the (now) unison setup copies only the extened 
>>>>>>>>>>>>>>> attributes on files.
>>>>>>>>>>>>>>> cron does the sync every 5 min for me and you can also use
>>>>>>>>>>>>>> inotify for that.
>>>>>>>>>>>>>>> You can search for that one on the list.
>>>>>>>>>>>>>>> Hope answere this helps you.
>>>>>>>>>>>>>>>> On 08/22/2014 02:21 AM, L.P.H. van Belle wrote:
>>>>>>>>>>>>>>>>> ah you didnt see my script...
>>>>>>>>>>>>>>>>> https://secure.bazuin.nl/scripts/3-setup-sysvol-bidirectional.sh 
>>>>>>>>>>>>>>>>> You way is missing the ACL.. you need rsync with unison.
>>>>>>>>>>>>>>>>> its all in my script.
>>>>>>>>>>>>>>>>> Greetz,
>>>>>>>>>>>>>>>>> Louis
>>>>>>>>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>>>>>>>>> Van: ryana at reachtechfp.com
>>>>>>>>>>>>>>>>>> [mailto:samba-bounces at lists.samba.org] Namens Ryan 
>>>>>>>>>>>>>>>>>> Ashley
>>>>>>>>>>>>>>>>>> Verzonden: vrijdag 22 augustus 2014 0:14
>>>>>>>>>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>>>>>>>>>> Onderwerp: [Samba] Proper sysvol replication solution...
>>>>>>>>>>>>>>>>>> I see the Samba guide suggests using rsync to keep 
>>>>>>>>>>>>>>>>>> sysvols in
>>>>>>>>>>>>>>>>>> sync, but
>>>>>>>>>>>>>>>>>> this poses a problem with ID's and it is only 
>>>>>>>>>>>>>>>>>> one-way. I have been
>>>>>>>>>>>>>>>>>> hesitant to suggest anything because of the flak I have
>>>>>>>>>>>>>>>> been getting,
>>>>>>>>>>>>>>>>>> but I do believe I have a much better solution that 
>>>>>>>>>>>>>>>>>> transfers
>>>>>>>>>>>>>>>>>> files via
>>>>>>>>>>>>>>>>>> SSH, is bi-directional (no more only editing group 
>>>>>>>>>>>>>>>>>> policy on one
>>>>>>>>>>>>>>>>>> server), and does NOT set UID/GID information. In other
>>>>>>>>>>>>>> words, it is
>>>>>>>>>>>>>>>>>> PERFECT for sysvol replication, and has been working on
>>>>>>>>>>>>>>>> several of my
>>>>>>>>>>>>>>>>>> domains for around a year and a half without a hitch. 
>>>>>>>>>>>>>>>>>> The
>>>>>>>>>>>>>>>>>> solution I am
>>>>>>>>>>>>>>>>>> proposing is to use unison, which also works on 
>>>>>>>>>>>>>>>>>> Windows and (I
>>>>>>>>>>>>>>>>>> think) Mac.
>>>>>>>>>>>>>>>>>> The way I have unison working on my systems is to 
>>>>>>>>>>>>>>>>>> install
>>>>>>>>>>>>>>>>>> unison on all
>>>>>>>>>>>>>>>>>> DC's, which is required. You also need an SSH server and
>>>>>>>>>>>>>>>> client on all
>>>>>>>>>>>>>>>>>> DC's, but I assume most of you do anyway. Once they're
>>>>>>>>>>>>>>>>>> installed, it is
>>>>>>>>>>>>>>>>>> as simple as the command below. This will 
>>>>>>>>>>>>>>>>>> synchronizes changes
>>>>>>>>>>>>>>>>>> BOTH WAYS
>>>>>>>>>>>>>>>>>> without touching your UID/GID setup. If you're 
>>>>>>>>>>>>>>>>>> paranoid, you could
>>>>>>>>>>>>>>>>>> always do a sysvolreset when done though.
>>>>>>>>>>>>>>>>>> unison -batch "/path/to/sysvol"
>>>>>>>>>>>>>>>> "ssh://dc02.domain.lan//path/to/sysvol"
>>>>>>>>>>>>>>>>>> If you do this at a command-line, it will prompt you for
>>>>>>>>>>>>>>>> your password
>>>>>>>>>>>>>>>>>> on the remote machine. This would prevent a cron job, 
>>>>>>>>>>>>>>>>>> but
>>>>>>>>>>>>>> I overcame
>>>>>>>>>>>>>>>>>> that as well. You can create an SSH key that does not 
>>>>>>>>>>>>>>>>>> require
>>>>>>>>>>>>>>>>>> a password
>>>>>>>>>>>>>>>>>> for the systems to use. This means you can now create a
>>>>>>>>>>>>>> cron job to
>>>>>>>>>>>>>>>>>> handle the replication every fifteen minutes or so. You
>>>>>>>>>>>>>>>> could also use
>>>>>>>>>>>>>>>>>> something like "incrond" to monitor for changes in 
>>>>>>>>>>>>>>>>>> the sysvol
>>>>>>>>>>>>>>>>>> and launch
>>>>>>>>>>>>>>>>>> unison as well, but I don't personally modify the 
>>>>>>>>>>>>>>>>>> sysvol often, so
>>>>>>>>>>>>>>>>>> replication every fifteen minutes works for me.
>>>>>>>>>>>>>>>>>> To create an SSH key to allow password-less 
>>>>>>>>>>>>>>>>>> replication via
>>>>>>>>>>>>>>>> unison, do
>>>>>>>>>>>>>>>>>> the following.
>>>>>>>>>>>>>>>>>> ssh-keygen -t dsa
>>>>>>>>>>>>>>>>>> When it prompts for a file to save the key in, it 
>>>>>>>>>>>>>>>>>> should be
>>>>>>>>>>>>>>>> your home
>>>>>>>>>>>>>>>>>> directory in a ".ssh" directory. I run as root, so 
>>>>>>>>>>>>>>>>>> this is
>>>>>>>>>>>>>>>>>> "/root/.ssh/id_dsa" for me. It will then prompt for a
>>>>>>>>>>>>>>>> password. Ignore
>>>>>>>>>>>>>>>>>> this and just press enter. It will ask you to verify the
>>>>>>>>>>>>>>>>>> password. Press
>>>>>>>>>>>>>>>>>> enter again. If you enter a password here, it cannot run
>>>>>>>>>>>>>>>>>> without user input!
>>>>>>>>>>>>>>>>>> Next, you need to copy the key to your other domain
>>>>>>>>>>>>>>>>>> controllers. You can
>>>>>>>>>>>>>>>>>> do so as follows. Note that my example is run as root.
>>>>>>>>>>>>>>>> Substitute your
>>>>>>>>>>>>>>>>>> user's path if needed.
>>>>>>>>>>>>>>>>>> ssh-copy-id -i /root/.ssh/id_dsa.pub 
>>>>>>>>>>>>>>>>>> root at dc02.domain.lan
>>>>>>>>>>>>>>>>>> Once that is done, login to the domain controller you 
>>>>>>>>>>>>>>>>>> copied
>>>>>>>>>>>>>>>>>> the key to
>>>>>>>>>>>>>>>>>> (in the example, dc02) and check 
>>>>>>>>>>>>>>>>>> "/root/.ssh/authorized_keys"
>>>>>>>>>>>>>>>>>> to verify
>>>>>>>>>>>>>>>>>> that the key was added and nothing unexpected is 
>>>>>>>>>>>>>>>>>> there. You
>>>>>>>>>>>>>>>>>> can do this
>>>>>>>>>>>>>>>>>> with "cat /root/.ssh/authorized_keys". You should see 
>>>>>>>>>>>>>>>>>> a key on
>>>>>>>>>>>>>>>>>> a single
>>>>>>>>>>>>>>>>>> line followed by the hostname of your primary domain
>>>>>>>>>>>>>>>> controller. If it
>>>>>>>>>>>>>>>>>> is there, they may now connect via SSH without a 
>>>>>>>>>>>>>>>>>> password!
>>>>>>>>>>>>>>>>>> You may now copy the key to any other domain 
>>>>>>>>>>>>>>>>>> controllers in
>>>>>>>>>>>>>>>>>> your domain
>>>>>>>>>>>>>>>>>> so they trust the primary DC as well. After that, all 
>>>>>>>>>>>>>>>>>> that
>>>>>>>>>>>>>>>> is left is
>>>>>>>>>>>>>>>>>> the synchronization. I urge you to run the first 
>>>>>>>>>>>>>>>>>> synchronization
>>>>>>>>>>>>>>>>>> manually, like below.
>>>>>>>>>>>>>>>>>> unison "/path/to/sysvol" 
>>>>>>>>>>>>>>>>>> "ssh://dc02.domain.lan//path/to/sysvol"
>>>>>>>>>>>>>>>>>> Make sure everything looks good, synchronize it, then 
>>>>>>>>>>>>>>>>>> repeat
>>>>>>>>>>>>>>>>>> for each DC
>>>>>>>>>>>>>>>>>> on your domain. Once done, you can create cron jobs 
>>>>>>>>>>>>>>>>>> to sync
>>>>>>>>>>>>>>>>>> each server,
>>>>>>>>>>>>>>>>>> or use a script like mine below. This script is on my
>>>>>>>>>>>>>> primary DC. I
>>>>>>>>>>>>>>>>>> actually only have two DC's, but I added more as an 
>>>>>>>>>>>>>>>>>> example here.
>>>>>>>>>>>>>>>>>> #!/bin/bash
>>>>>>>>>>>>>>>>>> SERVERLIST="dc02.domain.lan dc03.domain.lan 
>>>>>>>>>>>>>>>>>> dc04.domain.lan"
>>>>>>>>>>>>>>>>>> SVPATH="/path/to/sysvol"
>>>>>>>>>>>>>>>>>> # Synchronize all of the domain controllers
>>>>>>>>>>>>>>>>>> for sLoop in ${SERVERLIST}
>>>>>>>>>>>>>>>>>> do
>>>>>>>>>>>>>>>>>>      unison -batch "${SVPATH}" 
>>>>>>>>>>>>>>>>>> "ssh://${sLoop}/${SVPATH}"
>>>>>>>>>>>>>>>>>> done
>>>>>>>>>>>>>>>>>> exit 0
>>>>>>>>>>>>>>>>>> Now set that script to run in a cron job and you're 
>>>>>>>>>>>>>>>>>> golden.
>>>>>>>>>>>>>>>> You could
>>>>>>>>>>>>>>>>>> also setup "incrond" on all of your DC's and have it 
>>>>>>>>>>>>>>>>>> call
>>>>>>>>>>>>>>>>>> unison to sync
>>>>>>>>>>>>>>>>>> the other DC's whenever a write happens in your sysvol,
>>>>>>>>>>>>>> but I do not
>>>>>>>>>>>>>>>>>> need such a thing and have not personally tried it,
>>>>>>>>>>>>>> though I have a
>>>>>>>>>>>>>>>>>> fellow IT lead who has and likes it. My crontab job 
>>>>>>>>>>>>>>>>>> entry is
>>>>>>>>>>>>>>>>>> listed below.
>>>>>>>>>>>>>>>>>> 15 * * * * /root/sysvolsync.sh &> /dev/null
>>>>>>>>>>>>>>>>>> I hope this helps somebody and if you see something 
>>>>>>>>>>>>>>>>>> wrong,
>>>>>>>>>>>>>>>>>> feel free to
>>>>>>>>>>>>>>>>>> let me know.
>>>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL 
>>>>>>>>>>>>>>>>>> and read the
>>>>>>>>>>>>>>>>>> instructions: 
>>>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL 
>>>>>>>>>>>>>>>> and read the
>>>>>>>>>>>>>>>> instructions: 
>>>>>>>>>>>>>>>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>> -- 
>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and 
>>>>>>>>>>>>>> read the
>>>>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>> Rowland do you remeber Michael Adam's patch here from april? 
>>>>>>>>>>> Seems it did not yet make it into an stable release.
>>>>>>>>>> Yes, I vaguely remember it, but it did not go far enough (no 
>>>>>>>>>> disrespect meant Michael, I couldn't have got that far),  I 
>>>>>>>>>> 'think' it only dealt with 'BUILTIN' objects, but they are a 
>>>>>>>>>> small part of the well known RID's .
>>>>>>>>>> Rowland
>>>>>>>>> Good point,
>>>>>>>>> An nss_idmap module or extention to nss_winbind which resolves 
>>>>>>>>> xidNumbers to objectSID's might do the trick. It is not 
>>>>>>>>> neccesarry to translate the SID into an name to solve the 
>>>>>>>>> mapping problem.
>>>>>>>>> achim~
>>>>>>>> You mean like the reverse of what ever happens to create the 
>>>>>>>> entries in idmap.ldb ?
>>>>>>>> Rowland
>>>>>>> Yes,
>>>>>>> For your example in the other mail "getent group" would return
>>>>>>> S-1-5-32-544:*:3000000
>>>>>>> on the dc and
>>>>>>> S-1-5-32-544:*:2000
>>>>>> That would be good, but it would be better if was:
>>>>>> administrators:*:3000000
>>>>>> on the dc and
>>>>>> administrators:*:2000
>>>>>> Rowland
>>>>> Odd thing is the sid to name mapping is already there 
>>>>> (librpc/idl/security.idl) for well know sid's and rid's. Makes it 
>>>>> even more strange that only BUILDIN groups had been implemented by 
>>>>> the patch.
>>>>> @steve you would force the users to reserve an predefined range of 
>>>>> numbers in their usermanagement for windows standard groups und 
>>>>> users.
>>>> And your problem with this is ???
>>>> If people could get their heads around the fact that they do not 
>>>> need any local unix users and just have domain users instead, this 
>>>> would not really be a problem.
>>>> Rowland
>>> Not my problem but one. Well-know-rid's for two different domains. 
>>> The sid's differ in the domain part but would get the same fixed gid 
>>> because they have an identical well-known rid part.
>> I cannot see that this is a problem, if it is a problem then 
>> microsoft has it as well. We are talking about the well know RID's 
>> here and apart from the few that use the domain SID, every Domain 
>> uses the same SID i.e. administrators is always 'S-1-5-32-544'
>> Rowland
> Well you talked about well known rid's earlier. The well known sid's 
> are the same on all domains, rid's are always prefixed with the domain 
> sid. To prove myself wrong, these do resolve well and cause no problems.
> As for the sid's (builtin/security) the only problem on the linux side 
> is that they do not resolve at all to an gid. It is not necessary that 
> they resolve to the same gid on every machine, they just must resolve 
> to an number. If an group resolves to different gid's at two systems 
> rsync will take care of the number replacement if not the gid will be 
> the same.
> achim~
OOPs, yes you are correct, it is well known SID's not RID's but 
everything else I said was correct, anywhere, on any AD domain, 
'S-1-5-32-544' is 'BUILTIN Administrators', so as I said if this works 
for windows it should work for a S4 AD DC.


More information about the samba mailing list