[Samba] Sync UID/GUI between two DCs

Rowland penny rpenny at samba.org
Thu Sep 19 07:13:16 UTC 2019

On 19/09/2019 00:19, Simeon Peter via samba wrote:
> At the moment there is a user "root" in the AD with the UID 0. 
> Administrator has an other UID then 0 and I can not give the UID 0 to 
> two users.

First thing, if there is a user called 'root' in AD, then delete it, the 
user root should only be in /etc/passwd.

Next, if you open idmap.ldb, you will find an object like this:

dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

This the object for Administrator and maps the user to the ID '0', which 
is also the ID of the Unix user 'root'. This is how the Windows user 
'Administrator' becomes the Unix user 'root'. If 'Administrator' has a 
uidNumber attribute, remove it.

> So should I delete the user "root" in the Active Directory and give 
> the UID 0 to the Administrator user?
Yes, delete 'root' from AD, remove any rfc2307 attributes from 
'Administrator' and run 'net cache flush', this will reset 
'Administrator' back to the ID '0'.
> Which default group should it belong to?
Domain Users
> There is the Group "BUILTIN\Administrators", which has a custom 
> GIDnumber at the moment. Should it have an Unix GID also? Is there a 
> Unix Group "root" with GID 0?

Not sure I understand the above, what is the difference between a 
'custom GIDnumber' and a 'Unix GID' ?

If the 'custom GIDnumber' is a number in the '3000000' range, then this 
is actually an xidNumber from idmap.ldb

'Administrators' and 'BUILTIN\Administrators' is the same group and it 
shouldn't have a gidNumber attribute, also there is a Unix group 'root' 
in /etc/group and like the Unix user 'root', it shouldn't be in AD.


More information about the samba mailing list