On Wed, 2022-03-09 at 09:58 +0100, Kees van Vloten via samba
wrote:> On 09-03-2022 09:16, Rowland Penny via samba wrote:
> > On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba
> > wrote:
> > > Hello samba team.
> > >
> > > I have an AD DC server and winbind generates a UID for a group,
> > > for
> > > example
> > > Domain Admins has its GID mapped to a SID and also a UID equal to
> > > the
> > > GID
> > > mapped to the same SID.
> > >
> > > I understand the mapping from GID to SID, but why does it
> > > generate a
> > > UID
> > > for a group?
> > Because, while a group can own things on Windows, a Unix group
> > cannot,
> > so the group is mapped to a user on a DC, it is known as
> > 'ID_TYPE_BOTH'
> >
> > > Example output of the wbinfo command:
> > >
> > > wbinfo --group-info domain\\domain\ admins
> > >
> > > Domain\domain admins:x:3000004:
> > The numbers in the '3000000' range are 'xidNumbers'
and are only
> > found
> > on Samba AD DCs and unless you sync idmap.ldb between Samba DCs,
> > you
> > will get different IDs on different DC's
>
> It worries me that they are different per DC since files on sysvol
> use
> these IDs.
> Is idmap.ldb part of the standard DC-sync or should I put something
> like
> rsync or osync in place similar to sysvol sync?
Have you read the Samba wiki:
https://wiki.samba.org/index.php/Main_Page
Rowland