[Samba] Samba 4 two DCs no matching UID/GID

Tim rintimtim at gmx.net
Fri Dec 12 15:08:30 MST 2014


Why only Domain Users and Domain Admins? I can't follow.
But a good idea you've had. So a script can possibly be run on every DC the same. I will check and verify.

What about built-in objects like system? These are not available in ADUC if my memory doesn't fail now.
Will there be a problem when other built-in objects get a rfc gid/uid. E.g. for now wbinfo resolves uid 0 for administrator.

Am 12. Dezember 2014 22:19:45 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 12/12/14 20:31, Tim wrote:
>> My idea is similar. Today I didn't had the time to go on.
>>
>> But this my concept and it works with a short script (example for
>groups):
>>
>> DC1 (schema master)
>> for loop on wbinfo -g will
>> check if rfc2307 info is null for these groups in AD (ldbsearch)
>> when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then
>exit
>> else update rfc2307 info by importing created ldif file (ldbmodify)
>
>You only really need to give Domain Users & Domain Admins a gidNumber, 
>also you just need to check if the group has a gidNumber and if it 
>doesn't, update the group by adding the next available gidNumber. The 
>same goes for a user.
>
>I also told you where AD normally stores the next uidNumber &
>gidNumber.
>
>Rowland
>
>
>>
>> To get this faster an extra file with set rfc2307 gids will be needed
>and needs to be updated.
>>
>> For failover reasons idmap.ldp should be synced to secondary DCs or
>if possible its max gid number should be updated on secondary DCs.
>>
>> Regards
>> Tim
>>
>>
>>
>> Am 12. Dezember 2014 10:19:07 MEZ, schrieb steve
><steve at steve-ss.com>:
>>> On 12/12/14 07:10, Tim wrote:
>>>>
>>>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
>>> <steve at steve-ss.com>:
>>>>> On 11/12/14 23:15, Tim wrote:
>>>>>> Thanks Steve,
>>>>>>
>>>>>> I will have a look at it. I think it's important to sync the
>>>>> idmap.ldb
>>>>>> limits
>>>>> It isn't important. The limits are the same on all DCs, even if
>you
>>>>> have
>>>>> not copied the idmap database anywhere else. All you need to do is
>>>>> write
>>>>> the uidNumber and the gidNumber to the DN of your new users and
>>> groups.
>>>>> There are many ways of keeping track of
>>>>> what-the-next-uidNumber-should-be, which I think is your real
>>> problem.
>>>>
>>>> Can you give an example? Sounds interesting and would really help.
>>>>
>>> On way.
>>> Turn on enumeration.
>>> getent passwd and redirect to a file. read each line, cut the 3rd
>field
>>>
>>> (':' is the delimiter) and append to a second file. Find the biggest
>>> number and then add 1.
>>> There are as many ways as people using rfc2307...
>>> HTH
>>> Steve
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list