[Samba] Samba 4 two DCs no matching UID/GID

Rowland Penny rowlandpenny at googlemail.com
Sat Dec 13 02:54:27 MST 2014

On 12/12/14 22:08, Tim wrote:
> Why only Domain Users and Domain Admins? I can't follow.

Because they are the only two windows groups that you are likely to need 
on a Unix machine.

> But a good idea you've had. So a script can possibly be run on every 
> DC the same. I will check and verify.

Don't bother, been there, doing that.

> What about built-in objects like system? These are not available in 
> ADUC if my memory doesn't fail now.

That is what idmap.ldb is for!!!

> Will there be a problem when other built-in objects get a rfc gid/uid. 
> E.g. for now wbinfo resolves uid 0 for administrator.

Other built-in objects do not need a rfc gid/uid and Administrator gets 
mapped to root by, you guessed it, idmap.ldb


> Am 12. Dezember 2014 22:19:45 MEZ, schrieb Rowland Penny 
> <rowlandpenny at googlemail.com>:
>     On 12/12/14 20:31, Tim wrote:
>         My idea is similar. Today I didn't had the time to go on. But
>         this my concept and it works with a short script (example for
>         groups): DC1 (schema master) for loop on wbinfo -g will check
>         if rfc2307 info is null for these groups in AD (ldbsearch)
>         when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3
>         then exit else update rfc2307 info by importing created ldif
>         file (ldbmodify) 
>     You only really need to give Domain Users & Domain Admins a gidNumber,
>     also you just need to check if the group has a gidNumber and if it
>     doesn't, update the group by adding the next available gidNumber. The
>     same goes for a user.
>     I also told you where AD normally stores the next uidNumber & gidNumber.
>     Rowland
>         To get this faster an extra file with set rfc2307 gids will be
>         needed and needs to be updated. For failover reasons idmap.ldp
>         should be synced to secondary DCs or if possible its max gid
>         number should be updated on secondary DCs. Regards Tim Am 12.
>         Dezember 2014 10:19:07 MEZ, schrieb steve <steve at steve-ss.com>:
>             On 12/12/14 07:10, Tim wrote:
>                 Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve 
>             <steve at steve-ss.com>:
>                     On 11/12/14 23:15, Tim wrote:
>                         Thanks Steve, I will have a look at it. I
>                         think it's important to sync the 
>                     idmap.ldb
>                         limits 
>                     It isn't important. The limits are the same on all
>                     DCs, even if you have not copied the idmap
>                     database anywhere else. All you need to do is
>                     write the uidNumber and the gidNumber to the DN of
>                     your new users and 
>             groups.
>                     There are many ways of keeping track of
>                     what-the-next-uidNumber-should-be, which I think
>                     is your real 
>             problem.
>                 Can you give an example? Sounds interesting and would
>                 really help.
>             On way. Turn on enumeration. getent passwd and redirect to
>             a file. read each line, cut the 3rd field (':' is the
>             delimiter) and append to a second file. Find the biggest
>             number and then add 1. There are as many ways as people
>             using rfc2307... HTH Steve 

More information about the samba mailing list