Peter Milesson
2023-Aug-19 17:33 UTC
[Samba] Get id mapping for builtin users and groups on AD DC
On 19.08.2023 19:13, Rowland Penny via samba wrote:> On Sat, 19 Aug 2023 18:22:32 +0200 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> Hi folks, >> >> I have got two DCs and I want to check that the builtin ids are equal >> on both DCs. I have searched extensively, but I have not found what >> tool to use to get this information. > I take it by 'builtin ids' you mean the users and groups stored in > idmap.ldb, if not can you explain further. > >> I do not use winbindd on the DCs. > I hope you mean that you are not setting 'winbind' > in /etc/nsswitch.conf and getent doesn't show your AD users. > >> I would be very grateful, if somebody could give me information about >> this. >> >> Best regards, >> >> Peter >> >> > If you are referring to idmap.ldb, then this is an ID allocating > system and works on a 'first come basis'. This means that when a user > or group contacts idmap.ldb it gets the next available ID on that DC, > as users or groups are unlikely to contact in exactly the same > order on other DCs, they will get different IDs. This means that you > need to sync idmap.ldb between DCs, usually from the DC that holds the > PDC_Emulator FSMO role to all other DCs. > > Rowland > >Hi Rowland, Precisely, I want to check that the the contents of idmap.ldb are equal on the two DCs, so for example i want that a specific query for Administrator to both DCs doesn't return different ids. The idmap.ldb file on the DCs have got different sizes, which triggered my curiosity. I saw a post a while back about that, but I didn't succeed to locate it. I don't use winbindd on the DCs, hence there is no winbind entry in nsswitch.conf. The reason I bring up this is the fact, that I was in a hurry setting up a new DC and decommission an old one, and I'm now not sure that I also synchronized the idmap.ldb file. Otherwise DNS, rsync and other stuff works without any problems. Best regards, Peter
Rowland Penny
2023-Aug-19 17:50 UTC
[Samba] Get id mapping for builtin users and groups on AD DC
On Sat, 19 Aug 2023 19:33:18 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 19.08.2023 19:13, Rowland Penny via samba wrote: > > On Sat, 19 Aug 2023 18:22:32 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> I have got two DCs and I want to check that the builtin ids are > >> equal on both DCs. I have searched extensively, but I have not > >> found what tool to use to get this information. > > I take it by 'builtin ids' you mean the users and groups stored in > > idmap.ldb, if not can you explain further. > > > >> I do not use winbindd on the DCs. > > I hope you mean that you are not setting 'winbind' > > in /etc/nsswitch.conf and getent doesn't show your AD users. > > > >> I would be very grateful, if somebody could give me information > >> about this. > >> > >> Best regards, > >> > >> Peter > >> > >> > > If you are referring to idmap.ldb, then this is an ID allocating > > system and works on a 'first come basis'. This means that when a > > user or group contacts idmap.ldb it gets the next available ID on > > that DC, as users or groups are unlikely to contact in exactly the > > same order on other DCs, they will get different IDs. This means > > that you need to sync idmap.ldb between DCs, usually from the DC > > that holds the PDC_Emulator FSMO role to all other DCs. > > > > Rowland > > > > > Hi Rowland, > > Precisely, I want to check that the the contents of idmap.ldb are > equal on the two DCs, so for example i want that a specific query for > Administrator to both DCs doesn't return different ids. The idmap.ldb > file on the DCs have got different sizes, which triggered my > curiosity.One thing I didn't mention is that there three users/groups that always get the same IDs, these are: Administrator: which always gets the ID '0' Domain Users: which always gets the ID '100' Guest: which always gets the ID '65534' I wouldn't worry about the difference in size, just sync idmap.ldb from the machine that holds the PDC_Emulator role to the other DCs.> > I saw a post a while back about that, but I didn't succeed to locate > it. > > I don't use winbindd on the DCs, hence there is no winbind entry in > nsswitch.conf.You must be using winbind on the DCs, the 'samba' daemon starts it automatically and a DC will not work without it.> > The reason I bring up this is the fact, that I was in a hurry setting > up a new DC and decommission an old one, and I'm now not sure that I > also synchronized the idmap.ldb file. Otherwise DNS, rsync and other > stuff works without any problems.As I said, just sync idmap.ldb between the DCs. Rowland
Maybe Matching Threads
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC