[Samba] UID/GID -> SID -> NAME mapping across multiple DCs

Taylor Hammerling thammerling at tcsbasys.com
Fri Dec 15 17:56:25 UTC 2017 

Interesting... How do I go about getting them/keeping them in sync?

On Fri, Dec 15, 2017 at 11:47 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Fri, 15 Dec 2017 11:09:38 -0600
> Taylor Hammerling via samba <samba at lists.samba.org> wrote:
>
> > This isn't necessarily an issue (I don't think) but more so a
> > curiosity.
> >
> > How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4
> > across multiple DCs?
> >
> > I set up my DCs using Louis' how tos (
> > https://github.com/thctlo/samba4/tree/master/howtos).
> >
> > All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes"
> >
> > My policies folder under \sysvol\domainname\  has permissions of
> >
> > # file: Policies/
> > # owner: root
> > # group: 3000000
> > user::rwx
> > group::r-x
> > other::r-x
> >
> > and the folders below the policies folder have permissions like this
> >
> > 393060 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {3010F9BE-44ED-474B-B1A4-97126DF3D2B2}
> > 393073 drwxrwx---+ 4 3000008 3000008  4096 Dec 12 09:26
> > {31B2F340-016D-11D2-945F-00C04FB984F9}
> > 393084 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {6AC1786C-016F-11D2-945F-00C04FB984F9}
> > 393093 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {9BDC0BE2-5A5E-411F-81E5-6450803FA20D}
> > 393100 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {9FCBF966-79B8-4E1B-9E96-EE950FD00731}
> > 393108 drwxr-xr-x  4 3000008 3000008  4096 Dec 12 09:26
> > {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E}
> > 393006 drwxr-xr-x  3 3000000 users   12288 Dec 12 09:26
> > PolicyDefinitions
> >
> > I have three DCs, dc1, dc2 and dc3
> >
> > I ran some wbinfo's on all my DCs to check if the UIDs lined up with
> > the same SIDs on each DC, and the results were confusing.
> >
> > DC1======------
> > root at dc1 /# wbinfo -U 3000000
> > S-1-5-32-544
> > root at dc1 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root at dc1 /# wbinfo -G 3000000
> > S-1-5-32-544
> > root at dc1 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root at dc1 /# wbinfo -U 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-572
> > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> > TCSBASYS\Denied RODC Password Replication Group 4
> > root at dc1 /# wbinfo -G 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-572
> > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572
> > TCSBASYS\Denied RODC Password Replication Group 4
> >
> > DC2======------
> > root at dc2 /# wbinfo -U 3000000
> > S-1-5-32-544
> > root at dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root at dc2 /# wbinfo -G 3000000
> > S-1-5-32-544
> > root at dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root at dc2 /# wbinfo -U 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-512
> > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> > TCSBASYS\Domain Admins 2
> > root at dc2 /# wbinfo -G 3000008
> > S-1-5-21-2360315722-3846793618-1593657947-512
> > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512
> > TCSBASYS\Domain Admins 2
> >
> >
> > DC3======------
> > root at dc2 /# wbinfo -U 3000000
> > S-1-5-32-544
> > root at dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root at dc2 /# wbinfo -G 3000000
> > S-1-5-32-544
> > root at dc2 /# wbinfo -s S-1-5-32-544
> > BUILTIN\Administrators 4
> > root at dc3 /# wbinfo -U 3000008
> > S-1-5-64-10
> > root at dc3 /# wbinfo -s S-1-5-64-10
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-64-10
> > root at dc3 /# wbinfo -G 3000008
> > S-1-5-64-10
> > root at dc3 /# wbinfo -s S-1-5-64-10
> > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
> > Could not lookup sid S-1-5-64-10
> >
> >
> > Any help/insight you can provide would be greatly appreciated!
> >
> > Thanks and have a super Friday!
> >
>
> Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-)
> I take it you have synced sysvol between the three DCs, you now need to
> sync idmap.ldb from the first DC to the other two. The IDs are
> allocated on a first come basis, so you are likely to get the IDs
> allocated to different groups etc, in your case '3000008' has been
> given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM
> Authentication' and it should 'Domain Admins' as on the other two.
>
> Rowland
>
> and
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
*Taylor Hammerling* |  *IT Manager*
2800 Laura Lane | Middleton, WI 53562
*O *(608) 669-9070 *| C *(608) 512-7849
tcsbasys.com | ubiquistat.com

More information about the samba mailing list