[Samba] Sync UID/GUI between two DCs

Wed Sep 18 07:17:58 UTC 2019

On 18/09/2019 03:41, Simeon Peter via samba wrote:
> Thank you for your answers Rowland.
>
> I could go ahead.
>
>> I would remove any uidNumber & gidNumber attributes from the 
>> following users (if set):
>>
>> administrator
>> guest
>> krbtgt
> Administrator has a uidNumber since long time and owns some files. Are 
> there disadvantages if I leave his uidNumber?
A very big one, 'Administrator' is now a standard user as far as Unix is 
concerned and can do no more than any other normal user. Administrator 
should be mapped to the Unix user root (by default it is on a DC).
>>
>> If you are using Bind9, then you will also have users in this format: 
>> dns-dcname, if so do the same for these users.
>>
>> you should also remove gidNumber attributes from these groups:
>>
>> cert publishers
>> ras and ias servers
>> allowed rodc password replication group
>> denied rodc password replication group
>> dnsadmins
>> enterprise read-only domain controllers
>> domain guests
>> domain computers
>> domain controllers
>> schema admins
>> enterprise admins
>> group policy creator owners
>> read-only domain controllers
>> dnsupdateproxy
> What's about the groups Administrators and Users in the Builtin folder?
Sorry, missed off 'Administrators', not sure which users you are 
referring to here.
>>
>> This just leaves Domain Admins, if you give this group a gidNumber it 
>> just becomes a group (yes, I know it is just a group) but Windows has 
>> this funny thing where groups can own files and Unix doesn't. If 
>> Domain Admins is a Unix group, it cannot own things in Sysvol and it 
>> needs to. My way around this is to create a group (I use one called 
>> 'unix admins'), give this group a gidNumber and make it a member of 
>> Domain Admins or Administrators, then use this group instead of 
>> Domain Admins, finally ensure that Domain Admins doesn't have a 
>> gidNumber.
>
> If the group Domain Admins don't have a gidNumber it gets a xidNumber 
> instead? And like that can own folders and files?
Yes and it must be able to own GPO files and folders in sysvol.
>
> I noticed that the Group Enterprises Admins is also a member of 
> Administrators. So I could use this Group for my Administrators and 
> give a gidNumber to it?

No, add that to my list of groups that should never be given a gidNumber.

It basically boils down to, no groups & users created by a bare Samba 
provision should be given a uidNumber or gidNumber, except for Domain Users.

>
> Is it recommended to stop source / destination DC while the export/ 
> import?
>
> At the moment I have cronjob rsyncing the sysvol directory. In that 
> case it would be better to sync it manually in the future.
see here: 
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

Rowland