[Samba] Verifying idmap.ldb consistency across domain controllers

lingpanda101 lingpanda101 at gmail.com
Tue May 8 14:44:32 UTC 2018

On 5/8/2018 9:40 AM, Rowland Penny via samba wrote:
> On Tue, 8 May 2018 09:23:42 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>> My concern is with human error and built in groups. I'm using RFC2307
>> on all DC's so all UID's and GID's for manually created user & groups
>> I should be good. I'm pretty confident for all DC's I have added to
>> the domain, I took the step to copy and replace idmap.ldb. If I
>> search for one builtin user and group and verify XID's across domain
>> controllers. Can I deduce I have in fact took care to copy and
>> replace idmap.ldb from the 1st DC? What are some tell tell signs of
>> idmap.ldb inconsistency? Thanks for any guidance.
> The one real inconsistency would be the BUILTIN users and groups and
> if it wasn't for sysvol, even this wouldn't be a problem.
> Once a user or group is given a *idNumber, this will be used instead of
> the xidNumber stored in idmap.ldb, so comparing a BUILTIN user or group
> xidNumber in the first DCs idmap.ldb with the same data on another DC
> is probably the only way of telling for sure. Having said that, it
> would probably be easier to set up a cron job to sync idmap.ldb on a
> regular basis.
> Rowland
If I setup a cron job to sync. Is it necessary to stop Samba prior to 
replacing idmap.ldb on the 2nd, 3rd etc. DC?


More information about the samba mailing list