[Samba] Sync UID/GUI between two DCs

Rowland penny rpenny at samba.org
Tue Sep 17 09:52:32 UTC 2019 

On 17/09/2019 09:30, Simeon Peter wrote:
>
> Am 17.09.19 um 17:08 schrieb Rowland penny via samba:
>> Do not give the standard Windows users and groups a uid/gidNumber, 
>> most are never used on Unix, the main exception would be Domain Users.
> OK, now I did it already. It it ok to leave it like this?

I would remove any uidNumber & gidNumber attributes from the following 
users (if set):

administrator
guest
krbtgt

If you are using Bind9, then you will also have users in this format: 
dns-dcname, if so do the same for these users.

you should also remove gidNumber attributes from these groups:

cert publishers
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
dnsadmins
enterprise read-only domain controllers
domain guests
domain computers
domain controllers
schema admins
enterprise admins
group policy creator owners
read-only domain controllers
dnsupdateproxy

This just leaves Domain Admins, if you give this group a gidNumber it 
just becomes a group (yes, I know it is just a group) but Windows has 
this funny thing where groups can own files and Unix doesn't. If Domain 
Admins is a Unix group, it cannot own things in Sysvol and it needs to. 
My way around this is to create a group (I use one called 'unix 
admins'), give this group a gidNumber and make it a member of Domain 
Admins or Administrators, then use this group instead of Domain Admins, 
finally ensure that Domain Admins doesn't have a gidNumber.

>>
>> It sounds like your problems are being caused by using the DCs as 
>> fileservers, something that is only really viable if you only have 
>> one DC. If you have multiple DCs, then set up a Unix domain member 
>> and use this as the fileserver.
> I prefer to have as less servers as possible to set up and maintain . 
> If I can handle it with the User & Group IDs, are there other issues 
> when using a DC as a file server?
Yes, lots, do not even bother trying this if you have more than one DC, 
only use a DC as a fileserver when you really have no other option.
>>
>> You only need to sync idmap.ldb if you are using GPOs.
>
> I use GPOs. How often should I sync the idmap.ldp?
Every time you add a GPO and sync it to any other DCs.
>
>>
>> If you add uidNumber and gidNumber attributes to AD these should be 
>> used instead of the xidNumber attributes in idmap.ldb.
> That is what I did and solved my problem. Do you recommend to delete 
> old entries in the idmap.ldp?
No, if a user has a uidNumber or a group has a gidNumber, these will be 
used instead of the xidNumbers from idmap.ldb

Rowland

More information about the samba mailing list