[Samba] Sync UID/GUI between two DCs

Simeon Peter simeon at simeonpeter.ch
Thu Sep 19 08:10:42 UTC 2019 

Great, thank you very much for your clear and detailed explanations Rowland!

I will change like this...

Simeon

Am 19.09.19 um 16:13 schrieb Rowland penny via samba:
> On 19/09/2019 00:19, Simeon Peter via samba wrote:
>>
>> At the moment there is a user "root" in the AD with the UID 0. 
>> Administrator has an other UID then 0 and I can not give the UID 0 to 
>> two users.
>
> First thing, if there is a user called 'root' in AD, then delete it, 
> the user root should only be in /etc/passwd.
>
> Next, if you open idmap.ldb, you will find an object like this:
>
> dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> objectClass: sidMap
> objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
> type: ID_TYPE_UID
> xidNumber: 0
> distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500
>
> This the object for Administrator and maps the user to the ID '0', 
> which is also the ID of the Unix user 'root'. This is how the Windows 
> user 'Administrator' becomes the Unix user 'root'. If 'Administrator' 
> has a uidNumber attribute, remove it.
>
>>
>> So should I delete the user "root" in the Active Directory and give 
>> the UID 0 to the Administrator user?
> Yes, delete 'root' from AD, remove any rfc2307 attributes from 
> 'Administrator' and run 'net cache flush', this will reset 
> 'Administrator' back to the ID '0'.
>>
>> Which default group should it belong to?
> Domain Users
>>
>>
>>>>>
>> There is the Group "BUILTIN\Administrators", which has a custom 
>> GIDnumber at the moment. Should it have an Unix GID also? Is there a 
>> Unix Group "root" with GID 0?
>
> Not sure I understand the above, what is the difference between a 
> 'custom GIDnumber' and a 'Unix GID' ?
>
> If the 'custom GIDnumber' is a number in the '3000000' range, then 
> this is actually an xidNumber from idmap.ldb
>
> 'Administrators' and 'BUILTIN\Administrators' is the same group and it 
> shouldn't have a gidNumber attribute, also there is a Unix group 
> 'root' in /etc/group and like the Unix user 'root', it shouldn't be in 
> AD.
>
> Rowland

More information about the samba mailing list