[Samba] how to sync idmap.ldb between DCs?

Steven Monai stevemoca at gmail.com
Thu Sep 14 01:42:47 UTC 2023 

On 2023-09-13 8:36 a.m., Rowland Penny via samba wrote:
> On Wed, 13 Sep 2023 07:27:44 -0700
> Steven Monai via samba <samba at lists.samba.org> wrote:
>> I also have some questions about this.
>>
>> Firstly: In my current process for Samba AD domain deployments, when
>> joining a machine to the domain, I copy the idmap.ldb from the DC
>> holding the FSMO PDC_Emulator_Role to each machine joining the domain
>> *exactly once*: at the time of the initial join. Should I *also*
>> create a periodic process that resyncs idmap.ldb from PDC_Emulator to
>> domain-member servers (and to DCs that do not hold FSMO roles) on a
>> regular basis?
> 
> From that, it sounds like you copy idmap.ldb to all Samba computers, if
> so, then please stop doing this. You only use idmap.ldb on Samba AD
> DCs, it is never used on Unix domain members.

Got it: Only copy the idmap.ldb to DCs, never to mere domain members.

[snip]

>> Or is
>> there some other event that should trigger a sync of idmap.ldb to
>> domain members?
> 
> Just in case you haven't got it yet, there is nothing that will or
> should trigger the sync of idmap.ldb to a Unix domain member.

Of course. That is implied by your answer to my first question.

>> And finally: What is meant by "it shouldn't be needed every time"?
>> Are there instances where a domain-join does not require syncing
>> idmap.ldb to the joining machine?
> 
> There are domain joins and then there are domain joins.

Yes, I get that. Joining a DC is different from joining a mere member.

[snip]

> The reason why idmap.ldb must be synced between DCs is simple. On DCs
> the users and groups (which are all stored in AD) are mapped to
> 'xidNumber' attributes in idmap.ldb, this is done so that groups
> (mostly) can be mapped to 'ID_TYPE_BOTH' and as such, are both groups
> and users, this allows groups to 'own' things in sysvol.
> 
> If there is anything else that you don't understand or I haven't
> explained fully, please ask.

Okay:

So, in my current process for Samba AD domain deployments, when joining 
a machine as a new DC to the domain, I copy the idmap.ldb from the DC 
holding the PDC_Emulator role to the new DC *exactly once*, at the time 
the join is created. Should I *also* create a periodic process that 
re-syncs idmap.ldb from the PDC_Emulator DC to the other DCs on a 
regular basis? Or should the one-time sync at join-creation time be good 
enough?

Thank you for your time.

-S.M.

More information about the samba mailing list