[Samba] Sync UID/GUI between two DCs

Simeon Peter simeon at simeonpeter.ch
Wed Sep 18 02:41:17 UTC 2019

Thank you for your answers Rowland.

I could go ahead.

Am 17.09.19 um 18:52 schrieb Rowland penny:
> On 17/09/2019 09:30, Simeon Peter wrote:
>> Am 17.09.19 um 17:08 schrieb Rowland penny via samba:
>>> Do not give the standard Windows users and groups a uid/gidNumber, 
>>> most are never used on Unix, the main exception would be Domain Users.
>> OK, now I did it already. It it ok to leave it like this?
> I would remove any uidNumber & gidNumber attributes from the following 
> users (if set):
> administrator
> guest
> krbtgt
Administrator has a uidNumber since long time and owns some files. Are 
there disadvantages if I leave his uidNumber?
> If you are using Bind9, then you will also have users in this format: 
> dns-dcname, if so do the same for these users.
> you should also remove gidNumber attributes from these groups:
> cert publishers
> ras and ias servers
> allowed rodc password replication group
> denied rodc password replication group
> dnsadmins
> enterprise read-only domain controllers
> domain guests
> domain computers
> domain controllers
> schema admins
> enterprise admins
> group policy creator owners
> read-only domain controllers
> dnsupdateproxy
What's about the groups Administrators and Users in the Builtin folder?
> This just leaves Domain Admins, if you give this group a gidNumber it 
> just becomes a group (yes, I know it is just a group) but Windows has 
> this funny thing where groups can own files and Unix doesn't. If 
> Domain Admins is a Unix group, it cannot own things in Sysvol and it 
> needs to. My way around this is to create a group (I use one called 
> 'unix admins'), give this group a gidNumber and make it a member of 
> Domain Admins or Administrators, then use this group instead of Domain 
> Admins, finally ensure that Domain Admins doesn't have a gidNumber.

If the group Domain Admins don't have a gidNumber it gets a xidNumber 
instead? And like that can own folders and files?

I noticed that the Group Enterprises Admins is also a member of 
Administrators. So I could use this Group for my Administrators and give 
a gidNumber to it?

>>> It sounds like your problems are being caused by using the DCs as 
>>> fileservers, something that is only really viable if you only have 
>>> one DC. If you have multiple DCs, then set up a Unix domain member 
>>> and use this as the fileserver.
>> I prefer to have as less servers as possible to set up and maintain . 
>> If I can handle it with the User & Group IDs, are there other issues 
>> when using a DC as a file server?
> Yes, lots, do not even bother trying this if you have more than one 
> DC, only use a DC as a fileserver when you really have no other option.
>>> You only need to sync idmap.ldb if you are using GPOs.
>> I use GPOs. How often should I sync the idmap.ldp?
> Every time you add a GPO and sync it to any other DCs.

Is it recommended to stop source / destination DC while the export/ import?

At the moment I have cronjob rsyncing the sysvol directory. In that case 
it would be better to sync it manually in the future.

>>> If you add uidNumber and gidNumber attributes to AD these should be 
>>> used instead of the xidNumber attributes in idmap.ldb.
>> That is what I did and solved my problem. Do you recommend to delete 
>> old entries in the idmap.ldp?
> No, if a user has a uidNumber or a group has a gidNumber, these will 
> be used instead of the xidNumbers from idmap.ldb
> Rowland

More information about the samba mailing list