[Samba] Get id mapping for builtin users and groups on AD DC

Rowland Penny rpenny at samba.org
Sat Aug 19 17:50:42 UTC 2023 

On Sat, 19 Aug 2023 19:33:18 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:

> 
> 
> On 19.08.2023 19:13, Rowland Penny via samba wrote:
> > On Sat, 19 Aug 2023 18:22:32 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >> Hi folks,
> >>
> >> I have got two DCs and I want to check that the builtin ids are
> >> equal on both DCs. I have searched extensively, but I have not
> >> found what tool to use to get this information.
> > I take it by 'builtin ids' you mean the users and groups stored in
> > idmap.ldb, if not can you explain further.
> >
> >> I do not use winbindd on the DCs.
> > I hope you mean that you are not setting 'winbind'
> > in /etc/nsswitch.conf and getent doesn't show your AD users.
> >
> >> I would be very grateful, if somebody could give me information
> >> about this.
> >>
> >> Best regards,
> >>
> >> Peter
> >>
> >>
> > If you are referring to idmap.ldb, then this is an ID allocating
> > system and works on a 'first come basis'. This means that when a
> > user or group contacts idmap.ldb it gets the next available ID on
> > that DC, as users or groups are unlikely to contact in exactly the
> > same order on other DCs, they will get different IDs. This means
> > that you need to sync idmap.ldb between DCs, usually from the DC
> > that holds the PDC_Emulator FSMO role to all other DCs.
> >
> > Rowland
> >   
> >
> Hi Rowland,
> 
> Precisely, I want to check that the the contents of idmap.ldb are
> equal on the two DCs, so for example i want that a specific query for 
> Administrator to both DCs doesn't return different ids. The idmap.ldb 
> file on the DCs have got different sizes, which triggered my
> curiosity.

One thing I didn't mention is that there three users/groups that always
get the same IDs, these are:

Administrator: which always gets the ID '0'
Domain Users: which always gets the ID '100'
Guest: which always gets the ID '65534'

I wouldn't worry about the difference in size, just sync idmap.ldb from
the machine that holds the PDC_Emulator role to the other DCs.

> 
> I saw a post a while back about that, but I didn't succeed to locate
> it.
> 
> I don't use winbindd on the DCs, hence there is no winbind entry in 
> nsswitch.conf.

You must be using winbind on the DCs, the 'samba' daemon starts it
automatically and a DC will not work without it.
  
> 
> The reason I bring up this is the fact, that I was in a hurry setting
> up a new DC and decommission an old one, and I'm now not sure that I
> also synchronized the idmap.ldb file. Otherwise DNS, rsync and other
> stuff works without any problems.

As I said, just sync idmap.ldb between the DCs.

Rowland

More information about the samba mailing list