[Samba] Get id mapping for builtin users and groups on AD DC
Rowland Penny
rpenny at samba.org
Sat Aug 19 18:50:07 UTC 2023
On Sat, 19 Aug 2023 20:15:34 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>
> On 19.08.2023 19:50, Rowland Penny via samba wrote:
> > On Sat, 19 Aug 2023 19:33:18 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 19.08.2023 19:13, Rowland Penny via samba wrote:
> >>> On Sat, 19 Aug 2023 18:22:32 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hi folks,
> >>>>
> >>>> I have got two DCs and I want to check that the builtin ids are
> >>>> equal on both DCs. I have searched extensively, but I have not
> >>>> found what tool to use to get this information.
> >>> I take it by 'builtin ids' you mean the users and groups stored in
> >>> idmap.ldb, if not can you explain further.
> >>>
> >>>> I do not use winbindd on the DCs.
> >>> I hope you mean that you are not setting 'winbind'
> >>> in /etc/nsswitch.conf and getent doesn't show your AD users.
> >>>
> >>>> I would be very grateful, if somebody could give me information
> >>>> about this.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>> If you are referring to idmap.ldb, then this is an ID allocating
> >>> system and works on a 'first come basis'. This means that when a
> >>> user or group contacts idmap.ldb it gets the next available ID on
> >>> that DC, as users or groups are unlikely to contact in exactly the
> >>> same order on other DCs, they will get different IDs. This means
> >>> that you need to sync idmap.ldb between DCs, usually from the DC
> >>> that holds the PDC_Emulator FSMO role to all other DCs.
> >>>
> >>> Rowland
> >>>
> >>>
> >> Hi Rowland,
> >>
> >> Precisely, I want to check that the the contents of idmap.ldb are
> >> equal on the two DCs, so for example i want that a specific query
> >> for Administrator to both DCs doesn't return different ids. The
> >> idmap.ldb file on the DCs have got different sizes, which
> >> triggered my curiosity.
> > One thing I didn't mention is that there three users/groups that
> > always get the same IDs, these are:
> >
> > Administrator: which always gets the ID '0'
> > Domain Users: which always gets the ID '100'
> > Guest: which always gets the ID '65534'
> >
> > I wouldn't worry about the difference in size, just sync idmap.ldb
> > from the machine that holds the PDC_Emulator role to the other DCs.
> >
> >> I saw a post a while back about that, but I didn't succeed to
> >> locate it.
> >>
> >> I don't use winbindd on the DCs, hence there is no winbind entry in
> >> nsswitch.conf.
> > You must be using winbind on the DCs, the 'samba' daemon starts it
> > automatically and a DC will not work without it.
> >
> >> The reason I bring up this is the fact, that I was in a hurry
> >> setting up a new DC and decommission an old one, and I'm now not
> >> sure that I also synchronized the idmap.ldb file. Otherwise DNS,
> >> rsync and other stuff works without any problems.
> > As I said, just sync idmap.ldb between the DCs.
> >
> > Rowland
> >
> >
> Hi Rowland,
>
> Thanks for the information. I forgot that winbindd is started
> automatically. It's not every day I've got any reason to fiddle
> around with the DCs.
>
> If I remember correctly, you mentioned that for example the
> administrator can get an id=300000 from one DC and id=300001 from the
> other DC, but I assume that is if you contact the DCs from a member
> server.
It is usually Domain Admins that gets the '3000000' ID. The ID that any
user or group gets on a Unix domain member will depend on what idmap
backend is used, but it is unlikely to be in the '3000000' range unless
you set it that way (not recommended).
>
> Syncing the idmap.ldb is it sufficient to just make a copy, or with
> backup/restore?
Please follow one of the instructions here:
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
Rowland
More information about the samba
mailing list