[Samba] Sync UID/GUI between two DCs

[Rowland penny]

On 19/09/2019 00:19, Simeon Peter via samba wrote:
>
> At the moment there is a user "root" in the AD with the UID 0. 
> Administrator has an other UID then 0 and I can not give the UID 0 to 
> two users.

First thing, if there is a user called 'root' in AD, then delete it, the 
user root should only be in /etc/passwd.

Next, if you open idmap.ldb, you will find an object like this:

dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
objectClass: sidMap
objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500

This the object for Administrator and maps the user to the ID '0', which 
is also the ID of the Unix user 'root'. This is how the Windows user 
'Administrator' becomes the Unix user 'root'. If 'Administrator' has a 
uidNumber attribute, remove it.

>
> So should I delete the user "root" in the Active Directory and give 
> the UID 0 to the Administrator user?
Yes, delete 'root' from AD, remove any rfc2307 attributes from 
'Administrator' and run 'net cache flush', this will reset 
'Administrator' back to the ID '0'.
>
> Which default group should it belong to?
Domain Users
>
>
>>>>
> There is the Group "BUILTIN\Administrators", which has a custom 
> GIDnumber at the moment. Should it have an Unix GID also? Is there a 
> Unix Group "root" with GID 0?

Not sure I understand the above, what is the difference between a 
'custom GIDnumber' and a 'Unix GID' ?

If the 'custom GIDnumber' is a number in the '3000000' range, then this 
is actually an xidNumber from idmap.ldb

'Administrators' and 'BUILTIN\Administrators' is the same group and it 
shouldn't have a gidNumber attribute, also there is a Unix group 'root' 
in /etc/group and like the Unix user 'root', it shouldn't be in AD.

Rowland