Am 18.09.19 um 16:17 schrieb Rowland penny:> On 18/09/2019 03:41, Simeon Peter via samba wrote: >> I would remove any uidNumber & gidNumber attributes from the >> following users (if set): >>> administrator >>> guest >>> krbtgt >> Administrator has a uidNumber since long time and owns some files. >> Are there disadvantages if I leave his uidNumber? > A very big one, 'Administrator' is now a standard user as far as Unix > is concerned and can do no more than any other normal user. > Administrator should be mapped to the Unix user root (by default it is > on a DC).At the moment there is a user "root" in the AD with the UID 0. Administrator has an other UID then 0 and I can not give the UID 0 to two users. So should I delete the user "root" in the Active Directory and give the UID 0 to the Administrator user? Which default group should it belong to?>>> >>> If you are using Bind9, then you will also have users in this >>> format: dns-dcname, if so do the same for these users. >>> >>> you should also remove gidNumber attributes from these groups: >>> >>> cert publishers >>> ras and ias servers >>> allowed rodc password replication group >>> denied rodc password replication group >>> dnsadmins >>> enterprise read-only domain controllers >>> domain guests >>> domain computers >>> domain controllers >>> schema admins >>> enterprise admins >>> group policy creator owners >>> read-only domain controllers >>> dnsupdateproxy >> What's about the groups Administrators and Users in the Builtin folder? > Sorry, missed off 'Administrators', not sure which users you are > referring to here.There is the Group "BUILTIN\Administrators", which has a custom GIDnumber at the moment. Should it have an Unix GID also? Is there a Unix Group "root" with GID 0?>> Is it recommended to stop source / destination DC while the export/ >> import? >> >> At the moment I have cronjob rsyncing the sysvol directory. In that >> case it would be better to sync it manually in the future. > see here: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_MappingsThat worked well, thank you :-) Simeon
On 19/09/2019 00:19, Simeon Peter via samba wrote:> > At the moment there is a user "root" in the AD with the UID 0. > Administrator has an other UID then 0 and I can not give the UID 0 to > two users.First thing, if there is a user called 'root' in AD, then delete it, the user root should only be in /etc/passwd. Next, if you open idmap.ldb, you will find an object like this: dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 objectClass: sidMap objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 type: ID_TYPE_UID xidNumber: 0 distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 This the object for Administrator and maps the user to the ID '0', which is also the ID of the Unix user 'root'. This is how the Windows user 'Administrator' becomes the Unix user 'root'. If 'Administrator' has a uidNumber attribute, remove it.> > So should I delete the user "root" in the Active Directory and give > the UID 0 to the Administrator user?Yes, delete 'root' from AD, remove any rfc2307 attributes from 'Administrator' and run 'net cache flush', this will reset 'Administrator' back to the ID '0'.> > Which default group should it belong to?Domain Users> > >>>> > There is the Group "BUILTIN\Administrators", which has a custom > GIDnumber at the moment. Should it have an Unix GID also? Is there a > Unix Group "root" with GID 0?Not sure I understand the above, what is the difference between a 'custom GIDnumber' and a 'Unix GID' ? If the 'custom GIDnumber' is a number in the '3000000' range, then this is actually an xidNumber from idmap.ldb 'Administrators' and 'BUILTIN\Administrators' is the same group and it shouldn't have a gidNumber attribute, also there is a Unix group 'root' in /etc/group and like the Unix user 'root', it shouldn't be in AD. Rowland
Great, thank you very much for your clear and detailed explanations Rowland! I will change like this... Simeon Am 19.09.19 um 16:13 schrieb Rowland penny via samba:> On 19/09/2019 00:19, Simeon Peter via samba wrote: >> >> At the moment there is a user "root" in the AD with the UID 0. >> Administrator has an other UID then 0 and I can not give the UID 0 to >> two users. > > First thing, if there is a user called 'root' in AD, then delete it, > the user root should only be in /etc/passwd. > > Next, if you open idmap.ldb, you will find an object like this: > > dn: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > cn: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > objectClass: sidMap > objectSid: S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > type: ID_TYPE_UID > xidNumber: 0 > distinguishedName: CN=S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-500 > > This the object for Administrator and maps the user to the ID '0', > which is also the ID of the Unix user 'root'. This is how the Windows > user 'Administrator' becomes the Unix user 'root'. If 'Administrator' > has a uidNumber attribute, remove it. > >> >> So should I delete the user "root" in the Active Directory and give >> the UID 0 to the Administrator user? > Yes, delete 'root' from AD, remove any rfc2307 attributes from > 'Administrator' and run 'net cache flush', this will reset > 'Administrator' back to the ID '0'. >> >> Which default group should it belong to? > Domain Users >> >> >>>>> >> There is the Group "BUILTIN\Administrators", which has a custom >> GIDnumber at the moment. Should it have an Unix GID also? Is there a >> Unix Group "root" with GID 0? > > Not sure I understand the above, what is the difference between a > 'custom GIDnumber' and a 'Unix GID' ? > > If the 'custom GIDnumber' is a number in the '3000000' range, then > this is actually an xidNumber from idmap.ldb > > 'Administrators' and 'BUILTIN\Administrators' is the same group and it > shouldn't have a gidNumber attribute, also there is a Unix group > 'root' in /etc/group and like the Unix user 'root', it shouldn't be in > AD. > > Rowland