[Samba] UIDs/GIDs for built-in accounts in an AD-DC domain

Rowland Penny rpenny at samba.org
Wed Nov 16 11:31:13 UTC 2022

On 16/11/2022 11:05, Michael Tokarev via samba wrote:
> Hi!
> I've another interesting tidbit here.  Two domain controllers with
> replication between them, all is good.  smb.conf is the default
> created by samba-tool domain join.  The problem is that the UIDs/GIDs
> assigned to built-in accounts (Administrators,Users,etc) are different
> on the two.
> For example, BUILTIN\Administrators is 3000000 on the "second" DC,
> while it is 3000001 on first.  And 3000001 is Users on second.
> As the result, when I rsync sysvol including all the file attributes,
> it becomes wrong in the destination, and samba-tool ntacl sysvolcheck
> reports a lot of errors.  sysvolreset fixes these, but obviously the
> next rsync run makes them wrong again.
> The IDs should be somehow syncronized between the two machines (or
> actually several).  What's the way to do this?
> And where these IDs are stored to begin with?
> Thanks,
> /mjt

Known problem, the ID's on a DC (which are stored in idmap.ldb) are 
issued on a first come basis, so you are very sure to get different ID's 
on every Samba AD DC.

This only really affects Sysvol, which you have to sync between DC's, so 
it is also recommended to sync idmap.ldb to all other DC's.


More information about the samba mailing list