[Samba] Sync UID/GUI between two DCs

Simeon Peter simeon at simeonpeter.ch
Tue Sep 17 02:58:42 UTC 2019


I had a problem with different group IDs on my two DCs. They have both 
Version 4.7.6-Ubuntu and use the RFC2307 scheme. The first DC showed the 
group-IDs 200xx that I gave in the AD. The second DC gave the ID 100 to 
Domain Users and other 200xx IDs to the groups.

To could solve the problem:

  1. I gave Unix UIDs to all users and GIDs to groups in the Active 
Directory with RSAT
  2. I copied the idmap.ldp database from the first to the second DC

The problem with wrong file permissions of the Netlogon share, based on 
different groups in the ACLs on the second DC could be solved like this.

Now I am wondering what I should do to prevent future issues.

I read the post Two DC but Different UID 

>And the best way is to do both: synchronize idmap.ldb and set up uidNumber
>and gidNumber for each and every users in AD, even on MS users contained
>into BUILTIN and Users containers.
>If you synchronize idmap.ldb, keep it synched.
>Usage of RFC2307 for MS Builtin users is to avoid future issue, once they
>get all some xID from AD, they have no reason to get some irrelevant xID
>from id mapping.
>You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove from
>that file every user and group which already have xidNumber set in AD LDAP

Outside the 3000000 range I have this entries in the idmap.ldb:

65534, belongs to  S-1-5-7  (Anonymous)

net groupmap list ntgroup='S-1-5-7' shows: Failure to local group SID in 
the database

100: net groupmap list ntgroup shows Domain Users

0: net groupmap list ntgroup shows Failure to local group SID in the 

Should I delete this tree entries?

Is it necessary to sync the idmap.ldb again as long as I only change 
users, groups  and computers in the AD?

Are the other entries in the 3000000 range all from the DCs, so it is 
better to keep them like they are?

Thank you for your answers.


More information about the samba mailing list