[Samba] Samba 4 two DCs no matching UID/GID
Rowland Penny
rowlandpenny at googlemail.com
Sat Dec 13 02:54:27 MST 2014
On 12/12/14 22:08, Tim wrote:
> Why only Domain Users and Domain Admins? I can't follow.
Because they are the only two windows groups that you are likely to need
on a Unix machine.
> But a good idea you've had. So a script can possibly be run on every
> DC the same. I will check and verify.
Don't bother, been there, doing that.
>
> What about built-in objects like system? These are not available in
> ADUC if my memory doesn't fail now.
That is what idmap.ldb is for!!!
> Will there be a problem when other built-in objects get a rfc gid/uid.
> E.g. for now wbinfo resolves uid 0 for administrator.
>
Other built-in objects do not need a rfc gid/uid and Administrator gets
mapped to root by, you guessed it, idmap.ldb
Rowland
> Am 12. Dezember 2014 22:19:45 MEZ, schrieb Rowland Penny
> <rowlandpenny at googlemail.com>:
>
> On 12/12/14 20:31, Tim wrote:
>
> My idea is similar. Today I didn't had the time to go on. But
> this my concept and it works with a short script (example for
> groups): DC1 (schema master) for loop on wbinfo -g will check
> if rfc2307 info is null for these groups in AD (ldbsearch)
> when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3
> then exit else update rfc2307 info by importing created ldif
> file (ldbmodify)
>
>
> You only really need to give Domain Users & Domain Admins a gidNumber,
> also you just need to check if the group has a gidNumber and if it
> doesn't, update the group by adding the next available gidNumber. The
> same goes for a user.
>
> I also told you where AD normally stores the next uidNumber & gidNumber.
>
> Rowland
>
>
> To get this faster an extra file with set rfc2307 gids will be
> needed and needs to be updated. For failover reasons idmap.ldp
> should be synced to secondary DCs or if possible its max gid
> number should be updated on secondary DCs. Regards Tim Am 12.
> Dezember 2014 10:19:07 MEZ, schrieb steve <steve at steve-ss.com>:
>
> On 12/12/14 07:10, Tim wrote:
>
> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
>
> <steve at steve-ss.com>:
>
> On 11/12/14 23:15, Tim wrote:
>
> Thanks Steve, I will have a look at it. I
> think it's important to sync the
>
> idmap.ldb
>
> limits
>
> It isn't important. The limits are the same on all
> DCs, even if you have not copied the idmap
> database anywhere else. All you need to do is
> write the uidNumber and the gidNumber to the DN of
> your new users and
>
> groups.
>
> There are many ways of keeping track of
> what-the-next-uidNumber-should-be, which I think
> is your real
>
> problem.
>
> Can you give an example? Sounds interesting and would
> really help.
>
> On way. Turn on enumeration. getent passwd and redirect to
> a file. read each line, cut the 3rd field (':' is the
> delimiter) and append to a second file. Find the biggest
> number and then add 1. There are as many ways as people
> using rfc2307... HTH Steve
>
More information about the samba
mailing list