[Samba] winbind generates a UID for a group
Kees van Vloten
keesvanvloten at gmail.com
Wed Mar 9 09:10:00 UTC 2022
On 09-03-2022 10:02, Rowland Penny via samba wrote:
> On Wed, 2022-03-09 at 09:58 +0100, Kees van Vloten via samba wrote:
>> On 09-03-2022 09:16, Rowland Penny via samba wrote:
>>> On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba
>>>> Hello samba team.
>>>> I have an AD DC server and winbind generates a UID for a group,
>>>> Domain Admins has its GID mapped to a SID and also a UID equal to
>>>> mapped to the same SID.
>>>> I understand the mapping from GID to SID, but why does it
>>>> generate a
>>>> for a group?
>>> Because, while a group can own things on Windows, a Unix group
>>> so the group is mapped to a user on a DC, it is known as
>>>> Example output of the wbinfo command:
>>>> wbinfo --group-info domain\\domain\ admins
>>>> Domain\domain admins:x:3000004:
>>> The numbers in the '3000000' range are 'xidNumbers' and are only
>>> on Samba AD DCs and unless you sync idmap.ldb between Samba DCs,
>>> will get different IDs on different DC's
>> It worries me that they are different per DC since files on sysvol
>> these IDs.
>> Is idmap.ldb part of the standard DC-sync or should I put something
>> rsync or osync in place similar to sysvol sync?
> Have you read the Samba wiki:
Perhaps this (from FAQ)?
Do Samba AD DCs Support Replication?
Everything stored inside the AD, is replicated between DCs. For
example: users, groups, and DNS records.
In the current state, Samba does not support the distributed file
system replication (DFS-R) protocol used for Sysvol replication. To work
around, see Sysvol Replication (DFS-R).
I understand from this that idmap.ldb gets synced / replicated between
DCs, meaning I will NOT get different IDs on different DC's. Correct?
More information about the samba