[Samba] Sync UID/GUI between two DCs
simeon at simeonpeter.ch
Wed Sep 18 02:41:17 UTC 2019
Thank you for your answers Rowland.
I could go ahead.
Am 17.09.19 um 18:52 schrieb Rowland penny:
> On 17/09/2019 09:30, Simeon Peter wrote:
>> Am 17.09.19 um 17:08 schrieb Rowland penny via samba:
>>> Do not give the standard Windows users and groups a uid/gidNumber,
>>> most are never used on Unix, the main exception would be Domain Users.
>> OK, now I did it already. It it ok to leave it like this?
> I would remove any uidNumber & gidNumber attributes from the following
> users (if set):
Administrator has a uidNumber since long time and owns some files. Are
there disadvantages if I leave his uidNumber?
> If you are using Bind9, then you will also have users in this format:
> dns-dcname, if so do the same for these users.
> you should also remove gidNumber attributes from these groups:
> cert publishers
> ras and ias servers
> allowed rodc password replication group
> denied rodc password replication group
> enterprise read-only domain controllers
> domain guests
> domain computers
> domain controllers
> schema admins
> enterprise admins
> group policy creator owners
> read-only domain controllers
What's about the groups Administrators and Users in the Builtin folder?
> This just leaves Domain Admins, if you give this group a gidNumber it
> just becomes a group (yes, I know it is just a group) but Windows has
> this funny thing where groups can own files and Unix doesn't. If
> Domain Admins is a Unix group, it cannot own things in Sysvol and it
> needs to. My way around this is to create a group (I use one called
> 'unix admins'), give this group a gidNumber and make it a member of
> Domain Admins or Administrators, then use this group instead of Domain
> Admins, finally ensure that Domain Admins doesn't have a gidNumber.
If the group Domain Admins don't have a gidNumber it gets a xidNumber
instead? And like that can own folders and files?
I noticed that the Group Enterprises Admins is also a member of
Administrators. So I could use this Group for my Administrators and give
a gidNumber to it?
>>> It sounds like your problems are being caused by using the DCs as
>>> fileservers, something that is only really viable if you only have
>>> one DC. If you have multiple DCs, then set up a Unix domain member
>>> and use this as the fileserver.
>> I prefer to have as less servers as possible to set up and maintain .
>> If I can handle it with the User & Group IDs, are there other issues
>> when using a DC as a file server?
> Yes, lots, do not even bother trying this if you have more than one
> DC, only use a DC as a fileserver when you really have no other option.
>>> You only need to sync idmap.ldb if you are using GPOs.
>> I use GPOs. How often should I sync the idmap.ldp?
> Every time you add a GPO and sync it to any other DCs.
Is it recommended to stop source / destination DC while the export/ import?
At the moment I have cronjob rsyncing the sysvol directory. In that case
it would be better to sync it manually in the future.
>>> If you add uidNumber and gidNumber attributes to AD these should be
>>> used instead of the xidNumber attributes in idmap.ldb.
>> That is what I did and solved my problem. Do you recommend to delete
>> old entries in the idmap.ldp?
> No, if a user has a uidNumber or a group has a gidNumber, these will
> be used instead of the xidNumbers from idmap.ldb
More information about the samba