[Samba] Sync UID/GUI between two DCs

Simeon Peter simeon at simeonpeter.ch
Wed Sep 18 23:19:21 UTC 2019 

Am 18.09.19 um 16:17 schrieb Rowland penny:
> On 18/09/2019 03:41, Simeon Peter via samba wrote:
>> I would remove any uidNumber & gidNumber attributes from the 
>> following users (if set):
>>> administrator
>>> guest
>>> krbtgt
>> Administrator has a uidNumber since long time and owns some files. 
>> Are there disadvantages if I leave his uidNumber?
> A very big one, 'Administrator' is now a standard user as far as Unix 
> is concerned and can do no more than any other normal user. 
> Administrator should be mapped to the Unix user root (by default it is 
> on a DC).

At the moment there is a user "root" in the AD with the UID 0. 
Administrator has an other UID then 0 and I can not give the UID 0 to 
two users.

So should I delete the user "root" in the Active Directory and give the 
UID 0 to the Administrator user?

Which default group should it belong to?

>>>
>>> If you are using Bind9, then you will also have users in this 
>>> format: dns-dcname, if so do the same for these users.
>>>
>>> you should also remove gidNumber attributes from these groups:
>>>
>>> cert publishers
>>> ras and ias servers
>>> allowed rodc password replication group
>>> denied rodc password replication group
>>> dnsadmins
>>> enterprise read-only domain controllers
>>> domain guests
>>> domain computers
>>> domain controllers
>>> schema admins
>>> enterprise admins
>>> group policy creator owners
>>> read-only domain controllers
>>> dnsupdateproxy
>> What's about the groups Administrators and Users in the Builtin folder?
> Sorry, missed off 'Administrators', not sure which users you are 
> referring to here.

There is the Group "BUILTIN\Administrators", which has a custom 
GIDnumber at the moment. Should it have an Unix GID also? Is there a 
Unix Group "root" with GID 0?


>> Is it recommended to stop source / destination DC while the export/ 
>> import?
>>
>> At the moment I have cronjob rsyncing the sysvol directory. In that 
>> case it would be better to sync it manually in the future.
> see here: 
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
That worked well, thank you :-)


Simeon

More information about the samba mailing list