[Samba] Sync UID/GUI between two DCs
rpenny at samba.org
Tue Sep 17 09:52:32 UTC 2019
On 17/09/2019 09:30, Simeon Peter wrote:
> Am 17.09.19 um 17:08 schrieb Rowland penny via samba:
>> Do not give the standard Windows users and groups a uid/gidNumber,
>> most are never used on Unix, the main exception would be Domain Users.
> OK, now I did it already. It it ok to leave it like this?
I would remove any uidNumber & gidNumber attributes from the following
users (if set):
If you are using Bind9, then you will also have users in this format:
dns-dcname, if so do the same for these users.
you should also remove gidNumber attributes from these groups:
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
enterprise read-only domain controllers
group policy creator owners
read-only domain controllers
This just leaves Domain Admins, if you give this group a gidNumber it
just becomes a group (yes, I know it is just a group) but Windows has
this funny thing where groups can own files and Unix doesn't. If Domain
Admins is a Unix group, it cannot own things in Sysvol and it needs to.
My way around this is to create a group (I use one called 'unix
admins'), give this group a gidNumber and make it a member of Domain
Admins or Administrators, then use this group instead of Domain Admins,
finally ensure that Domain Admins doesn't have a gidNumber.
>> It sounds like your problems are being caused by using the DCs as
>> fileservers, something that is only really viable if you only have
>> one DC. If you have multiple DCs, then set up a Unix domain member
>> and use this as the fileserver.
> I prefer to have as less servers as possible to set up and maintain .
> If I can handle it with the User & Group IDs, are there other issues
> when using a DC as a file server?
Yes, lots, do not even bother trying this if you have more than one DC,
only use a DC as a fileserver when you really have no other option.
>> You only need to sync idmap.ldb if you are using GPOs.
> I use GPOs. How often should I sync the idmap.ldp?
Every time you add a GPO and sync it to any other DCs.
>> If you add uidNumber and gidNumber attributes to AD these should be
>> used instead of the xidNumber attributes in idmap.ldb.
> That is what I did and solved my problem. Do you recommend to delete
> old entries in the idmap.ldp?
No, if a user has a uidNumber or a group has a gidNumber, these will be
used instead of the xidNumbers from idmap.ldb
More information about the samba