Rowland Penny
2023-Aug-19 17:50 UTC
[Samba] Get id mapping for builtin users and groups on AD DC
On Sat, 19 Aug 2023 19:33:18 +0200 Peter Milesson via samba <samba at lists.samba.org> wrote:> > > On 19.08.2023 19:13, Rowland Penny via samba wrote: > > On Sat, 19 Aug 2023 18:22:32 +0200 > > Peter Milesson via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> I have got two DCs and I want to check that the builtin ids are > >> equal on both DCs. I have searched extensively, but I have not > >> found what tool to use to get this information. > > I take it by 'builtin ids' you mean the users and groups stored in > > idmap.ldb, if not can you explain further. > > > >> I do not use winbindd on the DCs. > > I hope you mean that you are not setting 'winbind' > > in /etc/nsswitch.conf and getent doesn't show your AD users. > > > >> I would be very grateful, if somebody could give me information > >> about this. > >> > >> Best regards, > >> > >> Peter > >> > >> > > If you are referring to idmap.ldb, then this is an ID allocating > > system and works on a 'first come basis'. This means that when a > > user or group contacts idmap.ldb it gets the next available ID on > > that DC, as users or groups are unlikely to contact in exactly the > > same order on other DCs, they will get different IDs. This means > > that you need to sync idmap.ldb between DCs, usually from the DC > > that holds the PDC_Emulator FSMO role to all other DCs. > > > > Rowland > > > > > Hi Rowland, > > Precisely, I want to check that the the contents of idmap.ldb are > equal on the two DCs, so for example i want that a specific query for > Administrator to both DCs doesn't return different ids. The idmap.ldb > file on the DCs have got different sizes, which triggered my > curiosity.One thing I didn't mention is that there three users/groups that always get the same IDs, these are: Administrator: which always gets the ID '0' Domain Users: which always gets the ID '100' Guest: which always gets the ID '65534' I wouldn't worry about the difference in size, just sync idmap.ldb from the machine that holds the PDC_Emulator role to the other DCs.> > I saw a post a while back about that, but I didn't succeed to locate > it. > > I don't use winbindd on the DCs, hence there is no winbind entry in > nsswitch.conf.You must be using winbind on the DCs, the 'samba' daemon starts it automatically and a DC will not work without it.> > The reason I bring up this is the fact, that I was in a hurry setting > up a new DC and decommission an old one, and I'm now not sure that I > also synchronized the idmap.ldb file. Otherwise DNS, rsync and other > stuff works without any problems.As I said, just sync idmap.ldb between the DCs. Rowland
Peter Milesson
2023-Aug-19 18:15 UTC
[Samba] Get id mapping for builtin users and groups on AD DC
On 19.08.2023 19:50, Rowland Penny via samba wrote:> On Sat, 19 Aug 2023 19:33:18 +0200 > Peter Milesson via samba <samba at lists.samba.org> wrote: > >> >> On 19.08.2023 19:13, Rowland Penny via samba wrote: >>> On Sat, 19 Aug 2023 18:22:32 +0200 >>> Peter Milesson via samba <samba at lists.samba.org> wrote: >>> >>>> Hi folks, >>>> >>>> I have got two DCs and I want to check that the builtin ids are >>>> equal on both DCs. I have searched extensively, but I have not >>>> found what tool to use to get this information. >>> I take it by 'builtin ids' you mean the users and groups stored in >>> idmap.ldb, if not can you explain further. >>> >>>> I do not use winbindd on the DCs. >>> I hope you mean that you are not setting 'winbind' >>> in /etc/nsswitch.conf and getent doesn't show your AD users. >>> >>>> I would be very grateful, if somebody could give me information >>>> about this. >>>> >>>> Best regards, >>>> >>>> Peter >>>> >>>> >>> If you are referring to idmap.ldb, then this is an ID allocating >>> system and works on a 'first come basis'. This means that when a >>> user or group contacts idmap.ldb it gets the next available ID on >>> that DC, as users or groups are unlikely to contact in exactly the >>> same order on other DCs, they will get different IDs. This means >>> that you need to sync idmap.ldb between DCs, usually from the DC >>> that holds the PDC_Emulator FSMO role to all other DCs. >>> >>> Rowland >>> >>> >> Hi Rowland, >> >> Precisely, I want to check that the the contents of idmap.ldb are >> equal on the two DCs, so for example i want that a specific query for >> Administrator to both DCs doesn't return different ids. The idmap.ldb >> file on the DCs have got different sizes, which triggered my >> curiosity. > One thing I didn't mention is that there three users/groups that always > get the same IDs, these are: > > Administrator: which always gets the ID '0' > Domain Users: which always gets the ID '100' > Guest: which always gets the ID '65534' > > I wouldn't worry about the difference in size, just sync idmap.ldb from > the machine that holds the PDC_Emulator role to the other DCs. > >> I saw a post a while back about that, but I didn't succeed to locate >> it. >> >> I don't use winbindd on the DCs, hence there is no winbind entry in >> nsswitch.conf. > You must be using winbind on the DCs, the 'samba' daemon starts it > automatically and a DC will not work without it. > >> The reason I bring up this is the fact, that I was in a hurry setting >> up a new DC and decommission an old one, and I'm now not sure that I >> also synchronized the idmap.ldb file. Otherwise DNS, rsync and other >> stuff works without any problems. > As I said, just sync idmap.ldb between the DCs. > > Rowland > >Hi Rowland, Thanks for the information. I forgot that winbindd is started automatically. It's not every day I've got any reason to fiddle around with the DCs. If I remember correctly, you mentioned that for example the administrator can get an id=300000 from one DC and id=300001 from the other DC, but I assume that is if you contact the DCs from a member server. Syncing the idmap.ldb is it sufficient to just make a copy, or with backup/restore? Best regards, Peter
Possibly Parallel Threads
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC
- Get id mapping for builtin users and groups on AD DC