[Samba] UIDs/GIDs for built-in accounts in an AD-DC domain
Kees van Vloten
keesvanvloten at gmail.com
Wed Nov 16 11:34:35 UTC 2022
Op 16-11-2022 om 12:31 schreef Rowland Penny via samba:
>
>
> On 16/11/2022 11:05, Michael Tokarev via samba wrote:
>> Hi!
>>
>> I've another interesting tidbit here. Two domain controllers with
>> replication between them, all is good. smb.conf is the default
>> created by samba-tool domain join. The problem is that the UIDs/GIDs
>> assigned to built-in accounts (Administrators,Users,etc) are different
>> on the two.
>>
>> For example, BUILTIN\Administrators is 3000000 on the "second" DC,
>> while it is 3000001 on first. And 3000001 is Users on second.
>>
>> As the result, when I rsync sysvol including all the file attributes,
>> it becomes wrong in the destination, and samba-tool ntacl sysvolcheck
>> reports a lot of errors. sysvolreset fixes these, but obviously the
>> next rsync run makes them wrong again.
>>
>> The IDs should be somehow syncronized between the two machines (or
>> actually several). What's the way to do this?
>>
>> And where these IDs are stored to begin with?
>>
>> Thanks,
>>
>> /mjt
>>
>
> Known problem, the ID's on a DC (which are stored in idmap.ldb) are
> issued on a first come basis, so you are very sure to get different
> ID's on every Samba AD DC.
>
> This only really affects Sysvol, which you have to sync between DC's,
> so it is also recommended to sync idmap.ldb to all other DC's.
>
> Rowland
>
See also:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
More information about the samba
mailing list