Taylor Hammerling
2017-Dec-15 17:56 UTC
[Samba] UID/GID -> SID -> NAME mapping across multiple DCs
Interesting... How do I go about getting them/keeping them in sync? On Fri, Dec 15, 2017 at 11:47 AM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 15 Dec 2017 11:09:38 -0600 > Taylor Hammerling via samba <samba at lists.samba.org> wrote: > > > This isn't necessarily an issue (I don't think) but more so a > > curiosity. > > > > How are UIDs mapped to SIDs and then SIDs mapped to names in Samba4 > > across multiple DCs? > > > > I set up my DCs using Louis' how tos ( > > https://github.com/thctlo/samba4/tree/master/howtos). > > > > All of my DCs smb.confs have the line "idmap_ldp:use rfc2307 = yes" > > > > My policies folder under \sysvol\domainname\ has permissions of > > > > # file: Policies/ > > # owner: root > > # group: 3000000 > > user::rwx > > group::r-x > > other::r-x > > > > and the folders below the policies folder have permissions like this > > > > 393060 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {3010F9BE-44ED-474B-B1A4-97126DF3D2B2} > > 393073 drwxrwx---+ 4 3000008 3000008 4096 Dec 12 09:26 > > {31B2F340-016D-11D2-945F-00C04FB984F9} > > 393084 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {6AC1786C-016F-11D2-945F-00C04FB984F9} > > 393093 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {9BDC0BE2-5A5E-411F-81E5-6450803FA20D} > > 393100 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {9FCBF966-79B8-4E1B-9E96-EE950FD00731} > > 393108 drwxr-xr-x 4 3000008 3000008 4096 Dec 12 09:26 > > {F175AAA1-AA6D-4A0F-BD42-9321BAA3061E} > > 393006 drwxr-xr-x 3 3000000 users 12288 Dec 12 09:26 > > PolicyDefinitions > > > > I have three DCs, dc1, dc2 and dc3 > > > > I ran some wbinfo's on all my DCs to check if the UIDs lined up with > > the same SIDs on each DC, and the results were confusing. > > > > DC1======------ > > root at dc1 /# wbinfo -U 3000000 > > S-1-5-32-544 > > root at dc1 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc1 /# wbinfo -G 3000000 > > S-1-5-32-544 > > root at dc1 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc1 /# wbinfo -U 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-572 > > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 > > TCSBASYS\Denied RODC Password Replication Group 4 > > root at dc1 /# wbinfo -G 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-572 > > root at dc1 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-572 > > TCSBASYS\Denied RODC Password Replication Group 4 > > > > DC2======------ > > root at dc2 /# wbinfo -U 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc2 /# wbinfo -G 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc2 /# wbinfo -U 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-512 > > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 > > TCSBASYS\Domain Admins 2 > > root at dc2 /# wbinfo -G 3000008 > > S-1-5-21-2360315722-3846793618-1593657947-512 > > root at dc2 /# wbinfo -s S-1-5-21-2360315722-3846793618-1593657947-512 > > TCSBASYS\Domain Admins 2 > > > > > > DC3======------ > > root at dc2 /# wbinfo -U 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc2 /# wbinfo -G 3000000 > > S-1-5-32-544 > > root at dc2 /# wbinfo -s S-1-5-32-544 > > BUILTIN\Administrators 4 > > root at dc3 /# wbinfo -U 3000008 > > S-1-5-64-10 > > root at dc3 /# wbinfo -s S-1-5-64-10 > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup sid S-1-5-64-10 > > root at dc3 /# wbinfo -G 3000008 > > S-1-5-64-10 > > root at dc3 /# wbinfo -s S-1-5-64-10 > > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > > Could not lookup sid S-1-5-64-10 > > > > > > Any help/insight you can provide would be greatly appreciated! > > > > Thanks and have a super Friday! > > > > Welcome to the wonderful world of idmap.ldb on Samba AD DCs ;-) > I take it you have synced sysvol between the three DCs, you now need to > sync idmap.ldb from the first DC to the other two. The IDs are > allocated on a first come basis, so you are likely to get the IDs > allocated to different groups etc, in your case '3000008' has been > given to 'S-1-5-64-10' on DC3, this is the SID for 'NTLM > Authentication' and it should 'Domain Admins' as on the other two. > > Rowland > > and > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
Rowland Penny
2017-Dec-15 19:03 UTC
[Samba] UID/GID -> SID -> NAME mapping across multiple DCs
On Fri, 15 Dec 2017 11:56:25 -0600 Taylor Hammerling <thammerling at tcsbasys.com> wrote:> Interesting... How do I go about getting them/keeping them in sync? >see here: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_Groups_GID_Mappings Rowland
Taylor Hammerling
2017-Dec-15 19:08 UTC
[Samba] UID/GID -> SID -> NAME mapping across multiple DCs
Danke! On Fri, Dec 15, 2017 at 1:03 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 15 Dec 2017 11:56:25 -0600 > Taylor Hammerling <thammerling at tcsbasys.com> wrote: > > > Interesting... How do I go about getting them/keeping them in sync? > > > > see here: > > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_ > Existing_Active_Directory#Built-in_Groups_GID_Mappings > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com