[Samba] Sync UID/GUI between two DCs

Rowland penny rpenny at samba.org
Tue Sep 17 08:08:51 UTC 2019 

On 17/09/2019 03:58, Simeon Peter via samba wrote:
> Hello
>
> I had a problem with different group IDs on my two DCs. They have both 
> Version 4.7.6-Ubuntu and use the RFC2307 scheme. The first DC showed 
> the group-IDs 200xx that I gave in the AD. The second DC gave the ID 
> 100 to Domain Users and other 200xx IDs to the groups.
>
> To could solve the problem:
>
>  1. I gave Unix UIDs to all users and GIDs to groups in the Active 
> Directory with RSAT
>  2. I copied the idmap.ldp database from the first to the second DC
>
> The problem with wrong file permissions of the Netlogon share, based 
> on different groups in the ACLs on the second DC could be solved like 
> this.
>
> Now I am wondering what I should do to prevent future issues.
>
> I read the post Two DC but Different UID 
> <https://lists.samba.org/archive/samba/2016-June/200433.html>:
>
>> And the best way is to do both: synchronize idmap.ldb and set up 
>> uidNumber
>> and gidNumber for each and every users in AD, even on MS users contained
>> into BUILTIN and Users containers.
>>
>> If you synchronize idmap.ldb, keep it synched.
>> Usage of RFC2307 for MS Builtin users is to avoid future issue, once 
>> they
>> get all some xID from AD, they have no reason to get some irrelevant xID
>> from id mapping.
>>
>> You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove from
>> that file every user and group which already have xidNumber set in AD 
>> LDAP
>> tree.
>
> Outside the 3000000 range I have this entries in the idmap.ldb:
>
> 65534, belongs to  S-1-5-7  (Anonymous)
>
> net groupmap list ntgroup='S-1-5-7' shows: Failure to local group SID 
> in the database
>
> 100: net groupmap list ntgroup shows Domain Users
>
> 0: net groupmap list ntgroup shows Failure to local group SID in the 
> database
>
> Should I delete this tree entries?
>
> Is it necessary to sync the idmap.ldb again as long as I only change 
> users, groups  and computers in the AD?
>
> Are the other entries in the 3000000 range all from the DCs, so it is 
> better to keep them like they are?
>
>
> Thank you for your answers.
>
> Simeon
>
>
Do not give the standard Windows users and groups a uid/gidNumber, most 
are never used on Unix, the main exception would be Domain Users.

It sounds like your problems are being caused by using the DCs as 
fileservers, something that is only really viable if you only have one 
DC. If you have multiple DCs, then set up a Unix domain member and use 
this as the fileserver.

You only need to sync idmap.ldb if you are using GPOs.

If you add uidNumber and gidNumber attributes to AD these should be used 
instead of the xidNumber attributes in idmap.ldb.

Rowland

More information about the samba mailing list