Hello I had a problem with different group IDs on my two DCs. They have both Version 4.7.6-Ubuntu and use the RFC2307 scheme. The first DC showed the group-IDs 200xx that I gave in the AD. The second DC gave the ID 100 to Domain Users and other 200xx IDs to the groups. To could solve the problem: ?1. I gave Unix UIDs to all users and GIDs to groups in the Active Directory with RSAT ?2. I copied the idmap.ldp database from the first to the second DC The problem with wrong file permissions of the Netlogon share, based on different groups in the ACLs on the second DC could be solved like this. Now I am wondering what I should do to prevent future issues. I read the post Two DC but Different UID <https://lists.samba.org/archive/samba/2016-June/200433.html>:>And the best way is to do both: synchronize idmap.ldb and set up uidNumber >and gidNumber for each and every users in AD, even on MS users contained >into BUILTIN and Users containers. > >If you synchronize idmap.ldb, keep it synched. >Usage of RFC2307 for MS Builtin users is to avoid future issue, once they >get all some xID from AD, they have no reason to get some irrelevant xID >from id mapping. > >You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove from >that file every user and group which already have xidNumber set in AD LDAP >tree.Outside the 3000000 range I have this entries in the idmap.ldb: 65534, belongs to? S-1-5-7? (Anonymous) net groupmap list ntgroup='S-1-5-7' shows: Failure to local group SID in the database 100: net groupmap list ntgroup shows Domain Users 0: net groupmap list ntgroup shows Failure to local group SID in the database Should I delete this tree entries? Is it necessary to sync the idmap.ldb again as long as I only change users, groups? and computers in the AD? Are the other entries in the 3000000 range all from the DCs, so it is better to keep them like they are? Thank you for your answers. Simeon
On 17/09/2019 03:58, Simeon Peter via samba wrote:> Hello > > I had a problem with different group IDs on my two DCs. They have both > Version 4.7.6-Ubuntu and use the RFC2307 scheme. The first DC showed > the group-IDs 200xx that I gave in the AD. The second DC gave the ID > 100 to Domain Users and other 200xx IDs to the groups. > > To could solve the problem: > > ?1. I gave Unix UIDs to all users and GIDs to groups in the Active > Directory with RSAT > ?2. I copied the idmap.ldp database from the first to the second DC > > The problem with wrong file permissions of the Netlogon share, based > on different groups in the ACLs on the second DC could be solved like > this. > > Now I am wondering what I should do to prevent future issues. > > I read the post Two DC but Different UID > <https://lists.samba.org/archive/samba/2016-June/200433.html>: > >> And the best way is to do both: synchronize idmap.ldb and set up >> uidNumber >> and gidNumber for each and every users in AD, even on MS users contained >> into BUILTIN and Users containers. >> >> If you synchronize idmap.ldb, keep it synched. >> Usage of RFC2307 for MS Builtin users is to avoid future issue, once >> they >> get all some xID from AD, they have no reason to get some irrelevant xID >> from id mapping. >> >> You can also edit idmap.ldb using "ldbedit -H idmap.ldb" to remove from >> that file every user and group which already have xidNumber set in AD >> LDAP >> tree. > > Outside the 3000000 range I have this entries in the idmap.ldb: > > 65534, belongs to? S-1-5-7? (Anonymous) > > net groupmap list ntgroup='S-1-5-7' shows: Failure to local group SID > in the database > > 100: net groupmap list ntgroup shows Domain Users > > 0: net groupmap list ntgroup shows Failure to local group SID in the > database > > Should I delete this tree entries? > > Is it necessary to sync the idmap.ldb again as long as I only change > users, groups? and computers in the AD? > > Are the other entries in the 3000000 range all from the DCs, so it is > better to keep them like they are? > > > Thank you for your answers. > > Simeon > >Do not give the standard Windows users and groups a uid/gidNumber, most are never used on Unix, the main exception would be Domain Users. It sounds like your problems are being caused by using the DCs as fileservers, something that is only really viable if you only have one DC. If you have multiple DCs, then set up a Unix domain member and use this as the fileserver. You only need to sync idmap.ldb if you are using GPOs. If you add uidNumber and gidNumber attributes to AD these should be used instead of the xidNumber attributes in idmap.ldb. Rowland
On 17/09/2019 09:30, Simeon Peter wrote:> > Am 17.09.19 um 17:08 schrieb Rowland penny via samba: >> Do not give the standard Windows users and groups a uid/gidNumber, >> most are never used on Unix, the main exception would be Domain Users. > OK, now I did it already. It it ok to leave it like this?I would remove any uidNumber & gidNumber attributes from the following users (if set): administrator guest krbtgt If you are using Bind9, then you will also have users in this format: dns-dcname, if so do the same for these users. you should also remove gidNumber attributes from these groups: cert publishers ras and ias servers allowed rodc password replication group denied rodc password replication group dnsadmins enterprise read-only domain controllers domain guests domain computers domain controllers schema admins enterprise admins group policy creator owners read-only domain controllers dnsupdateproxy This just leaves Domain Admins, if you give this group a gidNumber it just becomes a group (yes, I know it is just a group) but Windows has this funny thing where groups can own files and Unix doesn't. If Domain Admins is a Unix group, it cannot own things in Sysvol and it needs to. My way around this is to create a group (I use one called 'unix admins'), give this group a gidNumber and make it a member of Domain Admins or Administrators, then use this group instead of Domain Admins, finally ensure that Domain Admins doesn't have a gidNumber.>> >> It sounds like your problems are being caused by using the DCs as >> fileservers, something that is only really viable if you only have >> one DC. If you have multiple DCs, then set up a Unix domain member >> and use this as the fileserver. > I prefer to have as less servers as possible to set up and maintain . > If I can handle it with the User & Group IDs, are there other issues > when using a DC as a file server?Yes, lots, do not even bother trying this if you have more than one DC, only use a DC as a fileserver when you really have no other option.>> >> You only need to sync idmap.ldb if you are using GPOs. > > I use GPOs. How often should I sync the idmap.ldp?Every time you add a GPO and sync it to any other DCs.> >> >> If you add uidNumber and gidNumber attributes to AD these should be >> used instead of the xidNumber attributes in idmap.ldb. > That is what I did and solved my problem. Do you recommend to delete > old entries in the idmap.ldp?No, if a user has a uidNumber or a group has a gidNumber, these will be used instead of the xidNumbers from idmap.ldb Rowland
Thank you for your answers Rowland. I could go ahead. Am 17.09.19 um 18:52 schrieb Rowland penny:> On 17/09/2019 09:30, Simeon Peter wrote: >> Am 17.09.19 um 17:08 schrieb Rowland penny via samba: >>> Do not give the standard Windows users and groups a uid/gidNumber, >>> most are never used on Unix, the main exception would be Domain Users. >> OK, now I did it already. It it ok to leave it like this? > > I would remove any uidNumber & gidNumber attributes from the following > users (if set): > > administrator > guest > krbtgtAdministrator has a uidNumber since long time and owns some files. Are there disadvantages if I leave his uidNumber?> > If you are using Bind9, then you will also have users in this format: > dns-dcname, if so do the same for these users. > > you should also remove gidNumber attributes from these groups: > > cert publishers > ras and ias servers > allowed rodc password replication group > denied rodc password replication group > dnsadmins > enterprise read-only domain controllers > domain guests > domain computers > domain controllers > schema admins > enterprise admins > group policy creator owners > read-only domain controllers > dnsupdateproxyWhat's about the groups Administrators and Users in the Builtin folder?> > This just leaves Domain Admins, if you give this group a gidNumber it > just becomes a group (yes, I know it is just a group) but Windows has > this funny thing where groups can own files and Unix doesn't. If > Domain Admins is a Unix group, it cannot own things in Sysvol and it > needs to. My way around this is to create a group (I use one called > 'unix admins'), give this group a gidNumber and make it a member of > Domain Admins or Administrators, then use this group instead of Domain > Admins, finally ensure that Domain Admins doesn't have a gidNumber.If the group Domain Admins don't have a gidNumber it gets a xidNumber instead? And like that can own folders and files? I noticed that the Group Enterprises Admins is also a member of Administrators. So I could use this Group for my Administrators and give a gidNumber to it?> >>> >>> It sounds like your problems are being caused by using the DCs as >>> fileservers, something that is only really viable if you only have >>> one DC. If you have multiple DCs, then set up a Unix domain member >>> and use this as the fileserver. >> I prefer to have as less servers as possible to set up and maintain . >> If I can handle it with the User & Group IDs, are there other issues >> when using a DC as a file server? > Yes, lots, do not even bother trying this if you have more than one > DC, only use a DC as a fileserver when you really have no other option. >>> >>> You only need to sync idmap.ldb if you are using GPOs. >> >> I use GPOs. How often should I sync the idmap.ldp? > Every time you add a GPO and sync it to any other DCs.Is it recommended to stop source / destination DC while the export/ import? At the moment I have cronjob rsyncing the sysvol directory. In that case it would be better to sync it manually in the future.>> >>> >>> If you add uidNumber and gidNumber attributes to AD these should be >>> used instead of the xidNumber attributes in idmap.ldb. >> That is what I did and solved my problem. Do you recommend to delete >> old entries in the idmap.ldp? > No, if a user has a uidNumber or a group has a gidNumber, these will > be used instead of the xidNumbers from idmap.ldb > > Rowland >Simeon