[Samba] Get id mapping for builtin users and groups on AD DC

[Peter Milesson]

On 19.08.2023 19:13, Rowland Penny via samba wrote:
> On Sat, 19 Aug 2023 18:22:32 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> I have got two DCs and I want to check that the builtin ids are equal
>> on both DCs. I have searched extensively, but I have not found what
>> tool to use to get this information.
> I take it by 'builtin ids' you mean the users and groups stored in
> idmap.ldb, if not can you explain further.
>
>> I do not use winbindd on the DCs.
> I hope you mean that you are not setting 'winbind'
> in /etc/nsswitch.conf and getent doesn't show your AD users.
>
>> I would be very grateful, if somebody could give me information about
>> this.
>>
>> Best regards,
>>
>> Peter
>>
>>
> If you are referring to idmap.ldb, then this is an ID allocating
> system and works on a 'first come basis'. This means that when a user
> or group contacts idmap.ldb it gets the next available ID on that DC,
> as users or groups are unlikely to contact in exactly the same
> order on other DCs, they will get different IDs. This means that you
> need to sync idmap.ldb between DCs, usually from the DC that holds the
> PDC_Emulator FSMO role to all other DCs.
>
> Rowland
>   
>
Hi Rowland,

Precisely, I want to check that the the contents of idmap.ldb are equal 
on the two DCs, so for example i want that a specific query for 
Administrator to both DCs doesn't return different ids. The idmap.ldb 
file on the DCs have got different sizes, which triggered my curiosity.

I saw a post a while back about that, but I didn't succeed to locate it.

I don't use winbindd on the DCs, hence there is no winbind entry in 
nsswitch.conf.

The reason I bring up this is the fact, that I was in a hurry setting up 
a new DC and decommission an old one, and I'm now not sure that I also 
synchronized the idmap.ldb file. Otherwise DNS, rsync and other stuff 
works without any problems.

Best regards,

Peter