samba - Nov 2022 - UIDs/GIDs for built-in accounts in an AD-DC domain

On 16/11/2022 11:05, Michael Tokarev via samba wrote:
> Hi!
> 
> I've another interesting tidbit here.? Two domain controllers with
> replication between them, all is good.? smb.conf is the default
> created by samba-tool domain join.? The problem is that the UIDs/GIDs
> assigned to built-in accounts (Administrators,Users,etc) are different
> on the two.
> 
> For example, BUILTIN\Administrators is 3000000 on the "second"
DC,
> while it is 3000001 on first.? And 3000001 is Users on second.
> 
> As the result, when I rsync sysvol including all the file attributes,
> it becomes wrong in the destination, and samba-tool ntacl sysvolcheck
> reports a lot of errors.? sysvolreset fixes these, but obviously the
> next rsync run makes them wrong again.
> 
> The IDs should be somehow syncronized between the two machines (or
> actually several).? What's the way to do this?
> 
> And where these IDs are stored to begin with?
> 
> Thanks,
> 
> /mjt
> 
Known problem, the ID's on a DC (which are stored in idmap.ldb) are 
issued on a first come basis, so you are very sure to get different ID's 
on every Samba AD DC.

This only really affects Sysvol, which you have to sync between DC's, so 
it is also recommended to sync idmap.ldb to all other DC's.

Rowland

Op 16-11-2022 om 12:31 schreef Rowland Penny via samba:
>
>
> On 16/11/2022 11:05, Michael Tokarev via samba wrote:
>> Hi!
>>
>> I've another interesting tidbit here.? Two domain controllers with
>> replication between them, all is good.? smb.conf is the default
>> created by samba-tool domain join.? The problem is that the UIDs/GIDs
>> assigned to built-in accounts (Administrators,Users,etc) are different
>> on the two.
>>
>> For example, BUILTIN\Administrators is 3000000 on the
"second" DC,
>> while it is 3000001 on first.? And 3000001 is Users on second.
>>
>> As the result, when I rsync sysvol including all the file attributes,
>> it becomes wrong in the destination, and samba-tool ntacl sysvolcheck
>> reports a lot of errors.? sysvolreset fixes these, but obviously the
>> next rsync run makes them wrong again.
>>
>> The IDs should be somehow syncronized between the two machines (or
>> actually several).? What's the way to do this?
>>
>> And where these IDs are stored to begin with?
>>
>> Thanks,
>>
>> /mjt
>>
>
> Known problem, the ID's on a DC (which are stored in idmap.ldb) are 
> issued on a first come basis, so you are very sure to get different 
> ID's on every Samba AD DC.
>
> This only really affects Sysvol, which you have to sync between DC's, 
> so it is also recommended to sync idmap.ldb to all other DC's.
>
> Rowland
>
See also:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Built-in_User_.26_Group_ID_Mappings

16.11.2022 14:31, Rowland Penny via samba wrote:
> On 16/11/2022 11:05, Michael Tokarev via samba wrote:
>> For example, BUILTIN\Administrators is 3000000 on the
"second" DC,
>> while it is 3000001 on first.? And 3000001 is Users on second.
> Known problem, the ID's on a DC (which are stored in idmap.ldb) are
issued on a first come basis, so you are very sure to get different ID's on
every
> Samba AD DC.
> 
> This only really affects Sysvol, which you have to sync between DC's,
so it is also recommended to sync idmap.ldb to all other DC's.
Why this affects sysvol only?
Am I right the builtin user/groups should not be used for
other files somehow?  Who ensures this?

And, can I set the mapping manually, for example, by
using another range, or by specifying the id for a given
entity directly?

Thanks,

/mjt