On Fri, 15 Feb 2019 15:34:14 +0500
Шигапов Денис Вильданович via samba <samba at lists.samba.org> wrote:
> thank you very much.
> by the way, is it possible to specify arbitrary guid for BUILTIN
> and /NT AUTHORITY/// in samba DC
>
> example guid NT AUTHORITY\Authenticated Users in dc01 = 300002, in
> dc02 = 300005
> I would like that to guid dc01 == dc02
>
> On 15.02.2019 14:32, Rowland Penny via samba wrote:
> > net cache flush
>
>
Firstly, stop calling it 'guid', a 'GUID' is something else
entirely in
AD ;-)
I think you want your BUILTIN groups to have the same ID's on all DC's,
this is fairly easy, but first, why they are different. These users and
groups are mapped in idmap.ldb and the ID's are allocated on a first
come basis, this means, as you have found out, that users & groups can
have different ID's on different DC's. This wouldn't be a problem,
except for Sysvol, which isn't automatically synced between Samba AD
DC's and before you ask, information on how to do this can be found
here:
https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
Now you know why they are different, I think you can see that the only
way to get the same ID's is if idmap.ldb files are the same on all
DC's. Instructions on how to do this can be found here:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings
Rowland