[Samba] UIDs/GIDs for built-in accounts in an AD-DC domain

[Rowland Penny]

On 19/11/2022 11:16, Michael Tokarev via samba wrote:
> 16.11.2022 14:31, Rowland Penny via samba wrote:
>> On 16/11/2022 11:05, Michael Tokarev via samba wrote:
> 
>>> For example, BUILTIN\Administrators is 3000000 on the "second" DC,
>>> while it is 3000001 on first.  And 3000001 is Users on second.
> 
>> Known problem, the ID's on a DC (which are stored in idmap.ldb) are 
>> issued on a first come basis, so you are very sure to get different 
>> ID's on every Samba AD DC.
>>
>> This only really affects Sysvol, which you have to sync between DC's, 
>> so it is also recommended to sync idmap.ldb to all other DC's.
> 
> Why this affects sysvol only?

Because Sysvol must have the same owners (and that includes groups that 
can own things in AD, something that no Unix group can do).

This is one reason why it is not recommended to use a Samba DC as a 
fileserver.

> Am I right the builtin user/groups should not be used for
> other files somehow?

You should only use BUILTIN users & groups on Windows, though there are 
a few exceptions, Domain Users being one of them.

> Who ensures this?

You as the sysadmin do.

> 
> And, can I set the mapping manually, for example, by
> using another range, or by specifying the id for a given
> entity directly?

You can, if you use rfc2307 attributes, but I do not recommend doing it.

Rowland