Michael Tokarev
2022-Nov-16 11:05 UTC
[Samba] UIDs/GIDs for built-in accounts in an AD-DC domain
Hi! I've another interesting tidbit here. Two domain controllers with replication between them, all is good. smb.conf is the default created by samba-tool domain join. The problem is that the UIDs/GIDs assigned to built-in accounts (Administrators,Users,etc) are different on the two. For example, BUILTIN\Administrators is 3000000 on the "second" DC, while it is 3000001 on first. And 3000001 is Users on second. As the result, when I rsync sysvol including all the file attributes, it becomes wrong in the destination, and samba-tool ntacl sysvolcheck reports a lot of errors. sysvolreset fixes these, but obviously the next rsync run makes them wrong again. The IDs should be somehow syncronized between the two machines (or actually several). What's the way to do this? And where these IDs are stored to begin with? Thanks, /mjt
Rowland Penny
2022-Nov-16 11:31 UTC
[Samba] UIDs/GIDs for built-in accounts in an AD-DC domain
On 16/11/2022 11:05, Michael Tokarev via samba wrote:> Hi! > > I've another interesting tidbit here.? Two domain controllers with > replication between them, all is good.? smb.conf is the default > created by samba-tool domain join.? The problem is that the UIDs/GIDs > assigned to built-in accounts (Administrators,Users,etc) are different > on the two. > > For example, BUILTIN\Administrators is 3000000 on the "second" DC, > while it is 3000001 on first.? And 3000001 is Users on second. > > As the result, when I rsync sysvol including all the file attributes, > it becomes wrong in the destination, and samba-tool ntacl sysvolcheck > reports a lot of errors.? sysvolreset fixes these, but obviously the > next rsync run makes them wrong again. > > The IDs should be somehow syncronized between the two machines (or > actually several).? What's the way to do this? > > And where these IDs are stored to begin with? > > Thanks, > > /mjt >Known problem, the ID's on a DC (which are stored in idmap.ldb) are issued on a first come basis, so you are very sure to get different ID's on every Samba AD DC. This only really affects Sysvol, which you have to sync between DC's, so it is also recommended to sync idmap.ldb to all other DC's. Rowland