[Samba] preparing for a new site with an extra domain controller

Rowland Penny rpenny at samba.org
Tue Dec 17 08:50:37 UTC 2024


On Tue, 17 Dec 2024 09:01:55 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> > On Mon, 16 Dec 2024 10:33:59 +0100
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> 
> >> 1) sync it at first
> >> 2) do not sync it every time with sysvol
> >> 3) sync it periodically
> > 
> > I am now not entirely convinced that '3' is required if you only use
> > the DC in the recommended way, that is only for authentication and
> > no shares other than sysvol & netlogon.
> 
> I run them this way.
> 
> > The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a
> > first come basis and because the AD admin users & groups generally
> > do not get the same IDs on all DCs, then you need to ensure that
> > these users & groups have the same IDs on all DCs. The way to do
> > this is to sync idmap.ldb from the DC that holds the 'main' Sysvol
> > to all others. Now, as the users that you want to have the same IDs
> > on all DCs only get their ID once, it doesn't really matter that
> > your main users have different IDs, they aren't really used on the
> > DCs, Windows and Unix domain members ensure they are known on those
> > machines.
> 
> Does /var/lib/samba/private/idmap.ldb (path on debian) contain all
> the users?

Yes

this is me on a DC:

adminuser at rpidc1:~ $ getent passwd rowland
SAMDOM\rowland:*:3000020:100:Rowland
Penny:/home/SAMDOM/rowland:/bin/bash

And in idmap.ldb:

dn: CN=S-1-5-21-627072207-2265849604-124128874-1104
cn: S-1-5-21-627072207-2265849604-124128874-1104
objectClass: sidMap
objectSid: S-1-5-21-627072207-2265849604-124128874-1104
type: ID_TYPE_BOTH
xidNumber: 3000020
distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-1104

Now it wouldn't matter if that 'xidNumber' is different on the other
DCs because I have no shares on the DC (and I don't it would matter if
there were) because Samba knows who I am, notice my name isn't in
idmap.ldb


> 
> If I don't resync it I assume it is updated by the ad-replication
> within samba, right? Otherwise new users wouldn't be distributed.

Yes, but they are replicated in sam.ldb, so the local machine knows who
the SID is.

> 
> (just wondering)
> 
> OK, I will start that third DC as I did start the second: run steps
> 1) and 2)
> 
> thanks!
> 
> 

No Problem.

Rowland



More information about the samba mailing list