My idea is similar. Today I didn't had the time to go on.
But this my concept and it works with a short script (example for groups):
DC1 (schema master)
for loop on wbinfo -g will
check if rfc2307 info is null for these groups in AD (ldbsearch)
when rfc2307 gid is equal to wbinfo --group-info | cut -d: -f3 then exit
else update rfc2307 info by importing created ldif file (ldbmodify)
To get this faster an extra file with set rfc2307 gids will be needed and needs
to be updated.
For failover reasons idmap.ldp should be synced to secondary DCs or if possible
its max gid number should be updated on secondary DCs.
Regards
Tim
Am 12. Dezember 2014 10:19:07 MEZ, schrieb steve <steve at
steve-ss.com>:>On 12/12/14 07:10, Tim wrote:
>>
>>
>> Am 11. Dezember 2014 23:25:58 MEZ, schrieb steve
><steve at steve-ss.com>:
>>> On 11/12/14 23:15, Tim wrote:
>>>> Thanks Steve,
>>>>
>>>> I will have a look at it. I think it's important to sync
the
>>> idmap.ldb
>>>> limits
>>>
>>> It isn't important. The limits are the same on all DCs, even if
you
>>> have
>>> not copied the idmap database anywhere else. All you need to do is
>>> write
>>> the uidNumber and the gidNumber to the DN of your new users and
>groups.
>>>
>>> There are many ways of keeping track of
>>> what-the-next-uidNumber-should-be, which I think is your real
>problem.
>>
>>
>> Can you give an example? Sounds interesting and would really help.
>>
>On way.
>Turn on enumeration.
>getent passwd and redirect to a file. read each line, cut the 3rd field
>
>(':' is the delimiter) and append to a second file. Find the biggest
>number and then add 1.
>There are as many ways as people using rfc2307...
>HTH
>Steve