samba - Aug 2023 - Get id mapping for builtin users and groups on AD DC

On Sat, 19 Aug 2023 18:22:32 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> Hi folks,
> 
> I have got two DCs and I want to check that the builtin ids are equal
> on both DCs. I have searched extensively, but I have not found what
> tool to use to get this information.
I take it by 'builtin ids' you mean the users and groups stored in
idmap.ldb, if not can you explain further.
> 
> I do not use winbindd on the DCs.
I hope you mean that you are not setting 'winbind'
in /etc/nsswitch.conf and getent doesn't show your AD users.
> 
> I would be very grateful, if somebody could give me information about
> this.
> 
> Best regards,
> 
> Peter
> 
> 
If you are referring to idmap.ldb, then this is an ID allocating
system and works on a 'first come basis'. This means that when a user
or group contacts idmap.ldb it gets the next available ID on that DC,
as users or groups are unlikely to contact in exactly the same
order on other DCs, they will get different IDs. This means that you
need to sync idmap.ldb between DCs, usually from the DC that holds the
PDC_Emulator FSMO role to all other DCs.

Rowland

On 19.08.2023 19:13, Rowland Penny via samba wrote:
> On Sat, 19 Aug 2023 18:22:32 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>> Hi folks,
>>
>> I have got two DCs and I want to check that the builtin ids are equal
>> on both DCs. I have searched extensively, but I have not found what
>> tool to use to get this information.
> I take it by 'builtin ids' you mean the users and groups stored in
> idmap.ldb, if not can you explain further.
>
>> I do not use winbindd on the DCs.
> I hope you mean that you are not setting 'winbind'
> in /etc/nsswitch.conf and getent doesn't show your AD users.
>
>> I would be very grateful, if somebody could give me information about
>> this.
>>
>> Best regards,
>>
>> Peter
>>
>>
> If you are referring to idmap.ldb, then this is an ID allocating
> system and works on a 'first come basis'. This means that when a
user
> or group contacts idmap.ldb it gets the next available ID on that DC,
> as users or groups are unlikely to contact in exactly the same
> order on other DCs, they will get different IDs. This means that you
> need to sync idmap.ldb between DCs, usually from the DC that holds the
> PDC_Emulator FSMO role to all other DCs.
>
> Rowland
>   
>
Hi Rowland,

Precisely, I want to check that the the contents of idmap.ldb are equal 
on the two DCs, so for example i want that a specific query for 
Administrator to both DCs doesn't return different ids. The idmap.ldb 
file on the DCs have got different sizes, which triggered my curiosity.

I saw a post a while back about that, but I didn't succeed to locate it.

I don't use winbindd on the DCs, hence there is no winbind entry in 
nsswitch.conf.

The reason I bring up this is the fact, that I was in a hurry setting up 
a new DC and decommission an old one, and I'm now not sure that I also 
synchronized the idmap.ldb file. Otherwise DNS, rsync and other stuff 
works without any problems.

Best regards,

Peter