samba - May 2018 - Verifying idmap.ldb consistency across domain controllers

On 5/8/2018 9:07 AM, Rowland Penny via samba wrote:
> On Tue, 8 May 2018 08:59:52 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>>       Is there a command or quick way to verify idmap.ldb is
>> consistent across domain controllers? Similar to using samba-tool to
>> compare two ldap databases? Thanks.
>>
> No, but if haven't synced idmap.ldb from the first DC to all other DCs,
> then you can take it for granted they are not consistent ;-)
>
> Rowland
>
My concern is with human error and built in groups. I'm using RFC2307 on 
all DC's so all UID's and GID's for manually created user &
groups I
should be good. I'm pretty confident for all DC's I have added to the 
domain, I took the step to copy and replace idmap.ldb. If I search for 
one builtin user and group and verify XID's across domain controllers. 
Can I deduce I have in fact took care to copy and replace idmap.ldb from 
the 1st DC? What are some tell tell signs of idmap.ldb inconsistency? 
Thanks for any guidance.

-- 
--
James

On Tue, 8 May 2018 09:23:42 -0400
lingpanda101 via samba <samba at lists.samba.org> wrote:
> My concern is with human error and built in groups. I'm using RFC2307
> on all DC's so all UID's and GID's for manually created user
& groups
> I should be good. I'm pretty confident for all DC's I have added to
> the domain, I took the step to copy and replace idmap.ldb. If I
> search for one builtin user and group and verify XID's across domain
> controllers. Can I deduce I have in fact took care to copy and
> replace idmap.ldb from the 1st DC? What are some tell tell signs of
> idmap.ldb inconsistency? Thanks for any guidance.
The one real inconsistency would be the BUILTIN users and groups and
if it wasn't for sysvol, even this wouldn't be a problem.

Once a user or group is given a *idNumber, this will be used instead of
the xidNumber stored in idmap.ldb, so comparing a BUILTIN user or group
xidNumber in the first DCs idmap.ldb with the same data on another DC
is probably the only way of telling for sure. Having said that, it
would probably be easier to set up a cron job to sync idmap.ldb on a
regular basis.

Rowland

On 5/8/2018 9:40 AM, Rowland Penny via samba wrote:
> On Tue, 8 May 2018 09:23:42 -0400
> lingpanda101 via samba <samba at lists.samba.org> wrote:
>
>> My concern is with human error and built in groups. I'm using
RFC2307
>> on all DC's so all UID's and GID's for manually created
user & groups
>> I should be good. I'm pretty confident for all DC's I have
added to
>> the domain, I took the step to copy and replace idmap.ldb. If I
>> search for one builtin user and group and verify XID's across
domain
>> controllers. Can I deduce I have in fact took care to copy and
>> replace idmap.ldb from the 1st DC? What are some tell tell signs of
>> idmap.ldb inconsistency? Thanks for any guidance.
> The one real inconsistency would be the BUILTIN users and groups and
> if it wasn't for sysvol, even this wouldn't be a problem.
>
> Once a user or group is given a *idNumber, this will be used instead of
> the xidNumber stored in idmap.ldb, so comparing a BUILTIN user or group
> xidNumber in the first DCs idmap.ldb with the same data on another DC
> is probably the only way of telling for sure. Having said that, it
> would probably be easier to set up a cron job to sync idmap.ldb on a
> regular basis.
>
> Rowland
>   
>
>
If I setup a cron job to sync. Is it necessary to stop Samba prior to 
replacing idmap.ldb on the 2nd, 3rd etc. DC?

-- 
--
James