[Samba] Sync UID/GUI between two DCs
simeon at simeonpeter.ch
Thu Sep 19 08:10:42 UTC 2019
Great, thank you very much for your clear and detailed explanations Rowland!
I will change like this...
Am 19.09.19 um 16:13 schrieb Rowland penny via samba:
> On 19/09/2019 00:19, Simeon Peter via samba wrote:
>> At the moment there is a user "root" in the AD with the UID 0.
>> Administrator has an other UID then 0 and I can not give the UID 0 to
>> two users.
> First thing, if there is a user called 'root' in AD, then delete it,
> the user root should only be in /etc/passwd.
> Next, if you open idmap.ldb, you will find an object like this:
> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> This the object for Administrator and maps the user to the ID '0',
> which is also the ID of the Unix user 'root'. This is how the Windows
> user 'Administrator' becomes the Unix user 'root'. If 'Administrator'
> has a uidNumber attribute, remove it.
>> So should I delete the user "root" in the Active Directory and give
>> the UID 0 to the Administrator user?
> Yes, delete 'root' from AD, remove any rfc2307 attributes from
> 'Administrator' and run 'net cache flush', this will reset
> 'Administrator' back to the ID '0'.
>> Which default group should it belong to?
> Domain Users
>> There is the Group "BUILTIN\Administrators", which has a custom
>> GIDnumber at the moment. Should it have an Unix GID also? Is there a
>> Unix Group "root" with GID 0?
> Not sure I understand the above, what is the difference between a
> 'custom GIDnumber' and a 'Unix GID' ?
> If the 'custom GIDnumber' is a number in the '3000000' range, then
> this is actually an xidNumber from idmap.ldb
> 'Administrators' and 'BUILTIN\Administrators' is the same group and it
> shouldn't have a gidNumber attribute, also there is a Unix group
> 'root' in /etc/group and like the Unix user 'root', it shouldn't be in
More information about the samba