[Samba] UIDs/GIDs for built-in accounts in an AD-DC domain

Michael Tokarev mjt at tls.msk.ru
Sat Nov 19 11:16:43 UTC 2022

16.11.2022 14:31, Rowland Penny via samba wrote:
> On 16/11/2022 11:05, Michael Tokarev via samba wrote:

>> For example, BUILTIN\Administrators is 3000000 on the "second" DC,
>> while it is 3000001 on first.  And 3000001 is Users on second.

> Known problem, the ID's on a DC (which are stored in idmap.ldb) are issued on a first come basis, so you are very sure to get different ID's on every 
> Samba AD DC.
> This only really affects Sysvol, which you have to sync between DC's, so it is also recommended to sync idmap.ldb to all other DC's.

Why this affects sysvol only?
Am I right the builtin user/groups should not be used for
other files somehow?  Who ensures this?

And, can I set the mapping manually, for example, by
using another range, or by specifying the id for a given
entity directly?



More information about the samba mailing list