[Samba] Get id mapping for builtin users and groups on AD DC

Peter Milesson miles at atmos.eu
Sat Aug 19 18:45:46 UTC 2023 


On 19.08.2023 20:15, Peter Milesson via samba wrote:
>
>
> On 19.08.2023 19:50, Rowland Penny via samba wrote:
>> On Sat, 19 Aug 2023 19:33:18 +0200
>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>
>>>
>>> On 19.08.2023 19:13, Rowland Penny via samba wrote:
>>>> On Sat, 19 Aug 2023 18:22:32 +0200
>>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>>
>>>>> Hi folks,
>>>>>
>>>>> I have got two DCs and I want to check that the builtin ids are
>>>>> equal on both DCs. I have searched extensively, but I have not
>>>>> found what tool to use to get this information.
>>>> I take it by 'builtin ids' you mean the users and groups stored in
>>>> idmap.ldb, if not can you explain further.
>>>>
>>>>> I do not use winbindd on the DCs.
>>>> I hope you mean that you are not setting 'winbind'
>>>> in /etc/nsswitch.conf and getent doesn't show your AD users.
>>>>
>>>>> I would be very grateful, if somebody could give me information
>>>>> about this.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Peter
>>>>>
>>>>>
>>>> If you are referring to idmap.ldb, then this is an ID allocating
>>>> system and works on a 'first come basis'. This means that when a
>>>> user or group contacts idmap.ldb it gets the next available ID on
>>>> that DC, as users or groups are unlikely to contact in exactly the
>>>> same order on other DCs, they will get different IDs. This means
>>>> that you need to sync idmap.ldb between DCs, usually from the DC
>>>> that holds the PDC_Emulator FSMO role to all other DCs.
>>>>
>>>> Rowland
>>>>
>>> Hi Rowland,
>>>
>>> Precisely, I want to check that the the contents of idmap.ldb are
>>> equal on the two DCs, so for example i want that a specific query for
>>> Administrator to both DCs doesn't return different ids. The idmap.ldb
>>> file on the DCs have got different sizes, which triggered my
>>> curiosity.
>> One thing I didn't mention is that there three users/groups that always
>> get the same IDs, these are:
>>
>> Administrator: which always gets the ID '0'
>> Domain Users: which always gets the ID '100'
>> Guest: which always gets the ID '65534'
>>
>> I wouldn't worry about the difference in size, just sync idmap.ldb from
>> the machine that holds the PDC_Emulator role to the other DCs.
>>
>>> I saw a post a while back about that, but I didn't succeed to locate
>>> it.
>>>
>>> I don't use winbindd on the DCs, hence there is no winbind entry in
>>> nsswitch.conf.
>> You must be using winbind on the DCs, the 'samba' daemon starts it
>> automatically and a DC will not work without it.
>>> The reason I bring up this is the fact, that I was in a hurry setting
>>> up a new DC and decommission an old one, and I'm now not sure that I
>>> also synchronized the idmap.ldb file. Otherwise DNS, rsync and other
>>> stuff works without any problems.
>> As I said, just sync idmap.ldb between the DCs.
>>
>> Rowland
>>
>>
> Hi Rowland,
>
> Thanks for the information. I forgot that winbindd is started 
> automatically. It's not every day I've got any reason to fiddle around 
> with the DCs.
>
> If I remember correctly, you mentioned that for example the 
> administrator can get an id=300000 from one DC and id=300001 from the 
> other DC, but I assume that is if you contact the DCs from a member 
> server.
>
> Syncing the idmap.ldb is it sufficient to just make a copy, or with 
> backup/restore?
>
> Best regards,
>
> Peter
>
>
I guess it's necessary to do a backup/restore, as the two DCs have 
different encryption keys to protect the information.

Sorry for the noise.

Peter

More information about the samba mailing list