On Wed, 2022-03-09 at 09:58 +0100, Kees van Vloten via samba wrote:> On 09-03-2022 09:16, Rowland Penny via samba wrote: > > On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba > > wrote: > > > Hello samba team. > > > > > > I have an AD DC server and winbind generates a UID for a group, > > > for > > > example > > > Domain Admins has its GID mapped to a SID and also a UID equal to > > > the > > > GID > > > mapped to the same SID. > > > > > > I understand the mapping from GID to SID, but why does it > > > generate a > > > UID > > > for a group? > > Because, while a group can own things on Windows, a Unix group > > cannot, > > so the group is mapped to a user on a DC, it is known as > > 'ID_TYPE_BOTH' > > > > > Example output of the wbinfo command: > > > > > > wbinfo --group-info domain\\domain\ admins > > > > > > Domain\domain admins:x:3000004: > > The numbers in the '3000000' range are 'xidNumbers' and are only > > found > > on Samba AD DCs and unless you sync idmap.ldb between Samba DCs, > > you > > will get different IDs on different DC's > > It worries me that they are different per DC since files on sysvol > use > these IDs. > Is idmap.ldb part of the standard DC-sync or should I put something > like > rsync or osync in place similar to sysvol sync?Have you read the Samba wiki: https://wiki.samba.org/index.php/Main_Page Rowland
On 09-03-2022 10:02, Rowland Penny via samba wrote:> On Wed, 2022-03-09 at 09:58 +0100, Kees van Vloten via samba wrote: >> On 09-03-2022 09:16, Rowland Penny via samba wrote: >>> On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba >>> wrote: >>>> Hello samba team. >>>> >>>> I have an AD DC server and winbind generates a UID for a group, >>>> for >>>> example >>>> Domain Admins has its GID mapped to a SID and also a UID equal to >>>> the >>>> GID >>>> mapped to the same SID. >>>> >>>> I understand the mapping from GID to SID, but why does it >>>> generate a >>>> UID >>>> for a group? >>> Because, while a group can own things on Windows, a Unix group >>> cannot, >>> so the group is mapped to a user on a DC, it is known as >>> 'ID_TYPE_BOTH' >>> >>>> Example output of the wbinfo command: >>>> >>>> wbinfo --group-info domain\\domain\ admins >>>> >>>> Domain\domain admins:x:3000004: >>> The numbers in the '3000000' range are 'xidNumbers' and are only >>> found >>> on Samba AD DCs and unless you sync idmap.ldb between Samba DCs, >>> you >>> will get different IDs on different DC's >> It worries me that they are different per DC since files on sysvol >> use >> these IDs. >> Is idmap.ldb part of the standard DC-sync or should I put something >> like >> rsync or osync in place similar to sysvol sync? > Have you read the Samba wiki: > https://wiki.samba.org/index.php/Main_PageSure, I read many pages. There is a lot of information, can you be a bit more specific on where sync of idmap.ldb is documented?> > Rowland > > >
On 09-03-2022 10:02, Rowland Penny via samba wrote:> On Wed, 2022-03-09 at 09:58 +0100, Kees van Vloten via samba wrote: >> On 09-03-2022 09:16, Rowland Penny via samba wrote: >>> On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba >>> wrote: >>>> Hello samba team. >>>> >>>> I have an AD DC server and winbind generates a UID for a group, >>>> for >>>> example >>>> Domain Admins has its GID mapped to a SID and also a UID equal to >>>> the >>>> GID >>>> mapped to the same SID. >>>> >>>> I understand the mapping from GID to SID, but why does it >>>> generate a >>>> UID >>>> for a group? >>> Because, while a group can own things on Windows, a Unix group >>> cannot, >>> so the group is mapped to a user on a DC, it is known as >>> 'ID_TYPE_BOTH' >>> >>>> Example output of the wbinfo command: >>>> >>>> wbinfo --group-info domain\\domain\ admins >>>> >>>> Domain\domain admins:x:3000004: >>> The numbers in the '3000000' range are 'xidNumbers' and are only >>> found >>> on Samba AD DCs and unless you sync idmap.ldb between Samba DCs, >>> you >>> will get different IDs on different DC's >> It worries me that they are different per DC since files on sysvol >> use >> these IDs. >> Is idmap.ldb part of the standard DC-sync or should I put something >> like >> rsync or osync in place similar to sysvol sync? > Have you read the Samba wiki: > https://wiki.samba.org/index.php/Main_PagePerhaps this (from FAQ)? Do Samba AD DCs Support Replication? ??? Everything stored inside the AD, is replicated between DCs. For example: users, groups, and DNS records. ??? In the current state, Samba does not support the distributed file system replication (DFS-R) protocol used for Sysvol replication. To work around, see Sysvol Replication (DFS-R). I understand from this that idmap.ldb gets synced / replicated between DCs, meaning I will NOT get different IDs on different DC's. Correct?> > Rowland > > >