[Samba] winbind generates a UID for a group

Wed Mar 9 09:10:00 UTC 2022

On 09-03-2022 10:02, Rowland Penny via samba wrote:
> On Wed, 2022-03-09 at 09:58 +0100, Kees van Vloten via samba wrote:
>> On 09-03-2022 09:16, Rowland Penny via samba wrote:
>>> On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba
>>> wrote:
>>>> Hello samba team.
>>>>
>>>> I have an AD DC server and winbind generates a UID for a group,
>>>> for
>>>> example
>>>> Domain Admins has its GID mapped to a SID and also a UID equal to
>>>> the
>>>> GID
>>>> mapped to the same SID.
>>>>
>>>> I understand the mapping from GID to SID, but why does it
>>>> generate a
>>>> UID
>>>> for a group?
>>> Because, while a group can own things on Windows, a Unix group
>>> cannot,
>>> so the group is mapped to a user on a DC, it is known as
>>> 'ID_TYPE_BOTH'
>>>
>>>> Example output of the wbinfo command:
>>>>
>>>> wbinfo --group-info domain\\domain\ admins
>>>>
>>>> Domain\domain admins:x:3000004:
>>> The numbers in the '3000000' range are 'xidNumbers' and are only
>>> found
>>> on Samba AD DCs and unless you sync idmap.ldb between Samba DCs,
>>> you
>>> will get different IDs on different DC's
>> It worries me that they are different per DC since files on sysvol
>> use
>> these IDs.
>> Is idmap.ldb part of the standard DC-sync or should I put something
>> like
>> rsync or osync in place similar to sysvol sync?
> Have you read the Samba wiki:
> https://wiki.samba.org/index.php/Main_Page

Perhaps this (from FAQ)?

Do Samba AD DCs Support Replication?

     Everything stored inside the AD, is replicated between DCs. For 
example: users, groups, and DNS records.

     In the current state, Samba does not support the distributed file 
system replication (DFS-R) protocol used for Sysvol replication. To work 
around, see Sysvol Replication (DFS-R).

I understand from this that idmap.ldb gets synced / replicated between 
DCs, meaning I will NOT get different IDs on different DC's. Correct?

>
> Rowland
>
>
>