[Samba] Sync UID/GUI between two DCs
simeon at simeonpeter.ch
Tue Sep 17 02:58:42 UTC 2019
I had a problem with different group IDs on my two DCs. They have both
Version 4.7.6-Ubuntu and use the RFC2307 scheme. The first DC showed the
group-IDs 200xx that I gave in the AD. The second DC gave the ID 100 to
Domain Users and other 200xx IDs to the groups.
To could solve the problem:
1. I gave Unix UIDs to all users and GIDs to groups in the Active
Directory with RSAT
2. I copied the idmap.ldp database from the first to the second DC
The problem with wrong file permissions of the Netlogon share, based on
different groups in the ACLs on the second DC could be solved like this.
Now I am wondering what I should do to prevent future issues.
I read the post Two DC but Different UID
>And the best way is to do both: synchronize idmap.ldb and set up uidNumber
>and gidNumber for each and every users in AD, even on MS users contained
>into BUILTIN and Users containers.
>If you synchronize idmap.ldb, keep it synched.
>Usage of RFC2307 for MS Builtin users is to avoid future issue, once they
>get all some xID from AD, they have no reason to get some irrelevant xID
>from id mapping.
>You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove from
>that file every user and group which already have xidNumber set in AD LDAP
Outside the 3000000 range I have this entries in the idmap.ldb:
65534, belongs to S-1-5-7 (Anonymous)
net groupmap list ntgroup='S-1-5-7' shows: Failure to local group SID in
100: net groupmap list ntgroup shows Domain Users
0: net groupmap list ntgroup shows Failure to local group SID in the
Should I delete this tree entries?
Is it necessary to sync the idmap.ldb again as long as I only change
users, groups and computers in the AD?
Are the other entries in the 3000000 range all from the DCs, so it is
better to keep them like they are?
Thank you for your answers.
More information about the samba