[Samba] Samba 4 two DCs no matching UID/GID

Rowland Penny rowlandpenny at googlemail.com
Fri Dec 12 14:19:45 MST 2014


On 12/12/14 20:31, Tim wrote:
> My idea is similar. Today I didn't had the time to go on.
>
> But this my concept and it works with a short script (example for groups):
>
> DC1 (schema master)
> for loop on wbinfo -g will
> check if rfc2307 info is null for these groups in AD (ldbsearch)
> when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then exit
> else update rfc2307 info by importing created ldif file (ldbmodify)

You only really need to give Domain Users & Domain Admins a gidNumber, 
also you just need to check if the group has a gidNumber and if it 
doesn't, update the group by adding the next available gidNumber. The 
same goes for a user.

I also told you where AD normally stores the next uidNumber & gidNumber.

Rowland


>
> To get this faster an extra file with set rfc2307 gids will be needed and needs to be updated.
>
> For failover reasons idmap.ldp should be synced to secondary DCs or if possible its max gid number should be updated on secondary DCs.
>
> Regards
> Tim
>
>
>
> Am 12. Dezember 2014 10:19:07 MEZ, schrieb steve <steve at steve-ss.com>:
>> On 12/12/14 07:10, Tim wrote:
>>>
>>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
>> <steve at steve-ss.com>:
>>>> On 11/12/14 23:15, Tim wrote:
>>>>> Thanks Steve,
>>>>>
>>>>> I will have a look at it. I think it's important to sync the
>>>> idmap.ldb
>>>>> limits
>>>> It isn't important. The limits are the same on all DCs, even if you
>>>> have
>>>> not copied the idmap database anywhere else. All you need to do is
>>>> write
>>>> the uidNumber and the gidNumber to the DN of your new users and
>> groups.
>>>> There are many ways of keeping track of
>>>> what-the-next-uidNumber-should-be, which I think is your real
>> problem.
>>>
>>> Can you give an example? Sounds interesting and would really help.
>>>
>> On way.
>> Turn on enumeration.
>> getent passwd and redirect to a file. read each line, cut the 3rd field
>>
>> (':' is the delimiter) and append to a second file. Find the biggest
>> number and then add 1.
>> There are as many ways as people using rfc2307...
>> HTH
>> Steve



More information about the samba mailing list