[Samba] Get id mapping for builtin users and groups on AD DC

Sat Aug 19 19:02:03 UTC 2023

On 19.08.2023 20:50, Rowland Penny via samba wrote:
> On Sat, 19 Aug 2023 20:15:34 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 19.08.2023 19:50, Rowland Penny via samba wrote:
>>> On Sat, 19 Aug 2023 19:33:18 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> On 19.08.2023 19:13, Rowland Penny via samba wrote:
>>>>> On Sat, 19 Aug 2023 18:22:32 +0200
>>>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hi folks,
>>>>>>
>>>>>> I have got two DCs and I want to check that the builtin ids are
>>>>>> equal on both DCs. I have searched extensively, but I have not
>>>>>> found what tool to use to get this information.
>>>>> I take it by 'builtin ids' you mean the users and groups stored in
>>>>> idmap.ldb, if not can you explain further.
>>>>>
>>>>>> I do not use winbindd on the DCs.
>>>>> I hope you mean that you are not setting 'winbind'
>>>>> in /etc/nsswitch.conf and getent doesn't show your AD users.
>>>>>
>>>>>> I would be very grateful, if somebody could give me information
>>>>>> about this.
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Peter
>>>>>>
>>>>>>
>>>>> If you are referring to idmap.ldb, then this is an ID allocating
>>>>> system and works on a 'first come basis'. This means that when a
>>>>> user or group contacts idmap.ldb it gets the next available ID on
>>>>> that DC, as users or groups are unlikely to contact in exactly the
>>>>> same order on other DCs, they will get different IDs. This means
>>>>> that you need to sync idmap.ldb between DCs, usually from the DC
>>>>> that holds the PDC_Emulator FSMO role to all other DCs.
>>>>>
>>>>> Rowland
>>>>>     
>>>>>
>>>> Hi Rowland,
>>>>
>>>> Precisely, I want to check that the the contents of idmap.ldb are
>>>> equal on the two DCs, so for example i want that a specific query
>>>> for Administrator to both DCs doesn't return different ids. The
>>>> idmap.ldb file on the DCs have got different sizes, which
>>>> triggered my curiosity.
>>> One thing I didn't mention is that there three users/groups that
>>> always get the same IDs, these are:
>>>
>>> Administrator: which always gets the ID '0'
>>> Domain Users: which always gets the ID '100'
>>> Guest: which always gets the ID '65534'
>>>
>>> I wouldn't worry about the difference in size, just sync idmap.ldb
>>> from the machine that holds the PDC_Emulator role to the other DCs.
>>>
>>>> I saw a post a while back about that, but I didn't succeed to
>>>> locate it.
>>>>
>>>> I don't use winbindd on the DCs, hence there is no winbind entry in
>>>> nsswitch.conf.
>>> You must be using winbind on the DCs, the 'samba' daemon starts it
>>> automatically and a DC will not work without it.
>>>     
>>>> The reason I bring up this is the fact, that I was in a hurry
>>>> setting up a new DC and decommission an old one, and I'm now not
>>>> sure that I also synchronized the idmap.ldb file. Otherwise DNS,
>>>> rsync and other stuff works without any problems.
>>> As I said, just sync idmap.ldb between the DCs.
>>>
>>> Rowland
>>>
>>>
>> Hi Rowland,
>>
>> Thanks for the information. I forgot that winbindd is started
>> automatically. It's not every day I've got any reason to fiddle
>> around with the DCs.
>>
>> If I remember correctly, you mentioned that for example the
>> administrator can get an id=300000 from one DC and id=300001 from the
>> other DC, but I assume that is if you contact the DCs from a member
>> server.
> It is usually Domain Admins that gets the '3000000' ID. The ID that any
> user or group gets on a Unix domain member will depend on what idmap
> backend is used, but it is unlikely to be in the '3000000' range unless
> you set it that way (not recommended).
>
>> Syncing the idmap.ldb is it sufficient to just make a copy, or with
>> backup/restore?
> Please follow one of the instructions here:
>
> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>
> Rowland
>
>
Thanks for the help Rowland. I just followed the instructions on the 
wiki pages and restarted. No error messages so far.

Best regards,

Peter