[Samba] idmap configuration after initial deployment needed?

[steve]

On 15/10/14 17:51, Rowland Penny wrote:
> On 15/10/14 16:24, James wrote:
>> Hello,
>>
>>     Using Ubuntu 12.04 with Samba 4.1.11. I'm currently redirecting
>> windows folders to a Samba DC. This DC is not the one that was
>> deployed first. Based on discussions from another thread I copied the
>> idmap.ldb from the initial DC to the others that are deployed. I
>> noticed upon doing so the file permissions on the shares were broken.

Hi
Not sure which thread you read, but you should copy the db and then run 
sysvolreset. I thought that this had appeared in the wiki recently.

>> As in existing users were unable to see their documents or make
> modifications to them. I deleted them from the ACL list and reapplied
>> their appropriate permissions. This corrected that issue.

How did you effect, 'reapplied appropriate permissions'? samba-tool?
José


>>
>>     I also noticed that an issue I had with applying GPO's to users at
>> remote sites was now working again after making this change. With all
>> that being said. I was under the impressions that I only needed to add
>> idmap configurations to my smb.conf if I was using a member server to
>> handle shares from linux/unix users or workstations. I appear to be
>> wrong?  Thanks for any assistance.
>>
> The problem starts with what microsoft calls 'Well-known security
> identifiers', these are mapped on the DC  to xidNumbers, now where ever
> you go in AD, on a windows machine  'S-1-5-32-544' is the Administrators
> group, but as I said, on the DC this is mapped to an xidNumber, only
> problem is that you do not seem to get the same xidNumber on every
> samba4 DC, this is why idmap.ldb needs to copied from the first DC.
>
> There was some talk about mapping these SID's to a set group of numbers,
> but that is as far as it got, the problem being just what numbers to map
> them to or how to map them so that samba admins could choose the
> starting base.
>
> Rowland