[Samba] Get id mapping for builtin users and groups on AD DC

Peter Milesson miles at atmos.eu
Sat Aug 19 18:15:34 UTC 2023 


On 19.08.2023 19:50, Rowland Penny via samba wrote:
> On Sat, 19 Aug 2023 19:33:18 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 19.08.2023 19:13, Rowland Penny via samba wrote:
>>> On Sat, 19 Aug 2023 18:22:32 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I have got two DCs and I want to check that the builtin ids are
>>>> equal on both DCs. I have searched extensively, but I have not
>>>> found what tool to use to get this information.
>>> I take it by 'builtin ids' you mean the users and groups stored in
>>> idmap.ldb, if not can you explain further.
>>>
>>>> I do not use winbindd on the DCs.
>>> I hope you mean that you are not setting 'winbind'
>>> in /etc/nsswitch.conf and getent doesn't show your AD users.
>>>
>>>> I would be very grateful, if somebody could give me information
>>>> about this.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>>>
>>>>
>>> If you are referring to idmap.ldb, then this is an ID allocating
>>> system and works on a 'first come basis'. This means that when a
>>> user or group contacts idmap.ldb it gets the next available ID on
>>> that DC, as users or groups are unlikely to contact in exactly the
>>> same order on other DCs, they will get different IDs. This means
>>> that you need to sync idmap.ldb between DCs, usually from the DC
>>> that holds the PDC_Emulator FSMO role to all other DCs.
>>>
>>> Rowland
>>>    
>>>
>> Hi Rowland,
>>
>> Precisely, I want to check that the the contents of idmap.ldb are
>> equal on the two DCs, so for example i want that a specific query for
>> Administrator to both DCs doesn't return different ids. The idmap.ldb
>> file on the DCs have got different sizes, which triggered my
>> curiosity.
> One thing I didn't mention is that there three users/groups that always
> get the same IDs, these are:
>
> Administrator: which always gets the ID '0'
> Domain Users: which always gets the ID '100'
> Guest: which always gets the ID '65534'
>
> I wouldn't worry about the difference in size, just sync idmap.ldb from
> the machine that holds the PDC_Emulator role to the other DCs.
>
>> I saw a post a while back about that, but I didn't succeed to locate
>> it.
>>
>> I don't use winbindd on the DCs, hence there is no winbind entry in
>> nsswitch.conf.
> You must be using winbind on the DCs, the 'samba' daemon starts it
> automatically and a DC will not work without it.
>    
>> The reason I bring up this is the fact, that I was in a hurry setting
>> up a new DC and decommission an old one, and I'm now not sure that I
>> also synchronized the idmap.ldb file. Otherwise DNS, rsync and other
>> stuff works without any problems.
> As I said, just sync idmap.ldb between the DCs.
>
> Rowland
>
>
Hi Rowland,

Thanks for the information. I forgot that winbindd is started 
automatically. It's not every day I've got any reason to fiddle around 
with the DCs.

If I remember correctly, you mentioned that for example the 
administrator can get an id=300000 from one DC and id=300001 from the 
other DC, but I assume that is if you contact the DCs from a member server.

Syncing the idmap.ldb is it sufficient to just make a copy, or with 
backup/restore?

Best regards,

Peter

More information about the samba mailing list