samba - Aug 2023 - Get id mapping for builtin users and groups on AD DC

On 19.08.2023 19:50, Rowland Penny via samba wrote:
> On Sat, 19 Aug 2023 19:33:18 +0200
> Peter Milesson via samba <samba at lists.samba.org> wrote:
>
>>
>> On 19.08.2023 19:13, Rowland Penny via samba wrote:
>>> On Sat, 19 Aug 2023 18:22:32 +0200
>>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hi folks,
>>>>
>>>> I have got two DCs and I want to check that the builtin ids are
>>>> equal on both DCs. I have searched extensively, but I have not
>>>> found what tool to use to get this information.
>>> I take it by 'builtin ids' you mean the users and groups
stored in
>>> idmap.ldb, if not can you explain further.
>>>
>>>> I do not use winbindd on the DCs.
>>> I hope you mean that you are not setting 'winbind'
>>> in /etc/nsswitch.conf and getent doesn't show your AD users.
>>>
>>>> I would be very grateful, if somebody could give me information
>>>> about this.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>>>
>>>>
>>> If you are referring to idmap.ldb, then this is an ID allocating
>>> system and works on a 'first come basis'. This means that
when a
>>> user or group contacts idmap.ldb it gets the next available ID on
>>> that DC, as users or groups are unlikely to contact in exactly the
>>> same order on other DCs, they will get different IDs. This means
>>> that you need to sync idmap.ldb between DCs, usually from the DC
>>> that holds the PDC_Emulator FSMO role to all other DCs.
>>>
>>> Rowland
>>>    
>>>
>> Hi Rowland,
>>
>> Precisely, I want to check that the the contents of idmap.ldb are
>> equal on the two DCs, so for example i want that a specific query for
>> Administrator to both DCs doesn't return different ids. The
idmap.ldb
>> file on the DCs have got different sizes, which triggered my
>> curiosity.
> One thing I didn't mention is that there three users/groups that always
> get the same IDs, these are:
>
> Administrator: which always gets the ID '0'
> Domain Users: which always gets the ID '100'
> Guest: which always gets the ID '65534'
>
> I wouldn't worry about the difference in size, just sync idmap.ldb from
> the machine that holds the PDC_Emulator role to the other DCs.
>
>> I saw a post a while back about that, but I didn't succeed to
locate
>> it.
>>
>> I don't use winbindd on the DCs, hence there is no winbind entry in
>> nsswitch.conf.
> You must be using winbind on the DCs, the 'samba' daemon starts it
> automatically and a DC will not work without it.
>    
>> The reason I bring up this is the fact, that I was in a hurry setting
>> up a new DC and decommission an old one, and I'm now not sure that
I
>> also synchronized the idmap.ldb file. Otherwise DNS, rsync and other
>> stuff works without any problems.
> As I said, just sync idmap.ldb between the DCs.
>
> Rowland
>
>
Hi Rowland,

Thanks for the information. I forgot that winbindd is started 
automatically. It's not every day I've got any reason to fiddle around 
with the DCs.

If I remember correctly, you mentioned that for example the 
administrator can get an id=300000 from one DC and id=300001 from the 
other DC, but I assume that is if you contact the DCs from a member server.

Syncing the idmap.ldb is it sufficient to just make a copy, or with 
backup/restore?

Best regards,

Peter

On 19.08.2023 20:15, Peter Milesson via samba wrote:
>
>
> On 19.08.2023 19:50, Rowland Penny via samba wrote:
>> On Sat, 19 Aug 2023 19:33:18 +0200
>> Peter Milesson via samba <samba at lists.samba.org> wrote:
>>
>>>
>>> On 19.08.2023 19:13, Rowland Penny via samba wrote:
>>>> On Sat, 19 Aug 2023 18:22:32 +0200
>>>> Peter Milesson via samba <samba at lists.samba.org>
wrote:
>>>>
>>>>> Hi folks,
>>>>>
>>>>> I have got two DCs and I want to check that the builtin ids
are
>>>>> equal on both DCs. I have searched extensively, but I have
not
>>>>> found what tool to use to get this information.
>>>> I take it by 'builtin ids' you mean the users and
groups stored in
>>>> idmap.ldb, if not can you explain further.
>>>>
>>>>> I do not use winbindd on the DCs.
>>>> I hope you mean that you are not setting 'winbind'
>>>> in /etc/nsswitch.conf and getent doesn't show your AD
users.
>>>>
>>>>> I would be very grateful, if somebody could give me
information
>>>>> about this.
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Peter
>>>>>
>>>>>
>>>> If you are referring to idmap.ldb, then this is an ID
allocating
>>>> system and works on a 'first come basis'. This means
that when a
>>>> user or group contacts idmap.ldb it gets the next available ID
on
>>>> that DC, as users or groups are unlikely to contact in exactly
the
>>>> same order on other DCs, they will get different IDs. This
means
>>>> that you need to sync idmap.ldb between DCs, usually from the
DC
>>>> that holds the PDC_Emulator FSMO role to all other DCs.
>>>>
>>>> Rowland
>>>>
>>> Hi Rowland,
>>>
>>> Precisely, I want to check that the the contents of idmap.ldb are
>>> equal on the two DCs, so for example i want that a specific query
for
>>> Administrator to both DCs doesn't return different ids. The
idmap.ldb
>>> file on the DCs have got different sizes, which triggered my
>>> curiosity.
>> One thing I didn't mention is that there three users/groups that
always
>> get the same IDs, these are:
>>
>> Administrator: which always gets the ID '0'
>> Domain Users: which always gets the ID '100'
>> Guest: which always gets the ID '65534'
>>
>> I wouldn't worry about the difference in size, just sync idmap.ldb
from
>> the machine that holds the PDC_Emulator role to the other DCs.
>>
>>> I saw a post a while back about that, but I didn't succeed to
locate
>>> it.
>>>
>>> I don't use winbindd on the DCs, hence there is no winbind
entry in
>>> nsswitch.conf.
>> You must be using winbind on the DCs, the 'samba' daemon starts
it
>> automatically and a DC will not work without it.
>>> The reason I bring up this is the fact, that I was in a hurry
setting
>>> up a new DC and decommission an old one, and I'm now not sure
that I
>>> also synchronized the idmap.ldb file. Otherwise DNS, rsync and
other
>>> stuff works without any problems.
>> As I said, just sync idmap.ldb between the DCs.
>>
>> Rowland
>>
>>
> Hi Rowland,
>
> Thanks for the information. I forgot that winbindd is started 
> automatically. It's not every day I've got any reason to fiddle
around
> with the DCs.
>
> If I remember correctly, you mentioned that for example the 
> administrator can get an id=300000 from one DC and id=300001 from the 
> other DC, but I assume that is if you contact the DCs from a member 
> server.
>
> Syncing the idmap.ldb is it sufficient to just make a copy, or with 
> backup/restore?
>
> Best regards,
>
> Peter
>
>
I guess it's necessary to do a backup/restore, as the two DCs have 
different encryption keys to protect the information.

Sorry for the noise.

Peter

On Sat, 19 Aug 2023 20:15:34 +0200
Peter Milesson via samba <samba at lists.samba.org> wrote:
> 
> 
> On 19.08.2023 19:50, Rowland Penny via samba wrote:
> > On Sat, 19 Aug 2023 19:33:18 +0200
> > Peter Milesson via samba <samba at lists.samba.org> wrote:
> >
> >>
> >> On 19.08.2023 19:13, Rowland Penny via samba wrote:
> >>> On Sat, 19 Aug 2023 18:22:32 +0200
> >>> Peter Milesson via samba <samba at lists.samba.org>
wrote:
> >>>
> >>>> Hi folks,
> >>>>
> >>>> I have got two DCs and I want to check that the builtin
ids are
> >>>> equal on both DCs. I have searched extensively, but I have
not
> >>>> found what tool to use to get this information.
> >>> I take it by 'builtin ids' you mean the users and
groups stored in
> >>> idmap.ldb, if not can you explain further.
> >>>
> >>>> I do not use winbindd on the DCs.
> >>> I hope you mean that you are not setting 'winbind'
> >>> in /etc/nsswitch.conf and getent doesn't show your AD
users.
> >>>
> >>>> I would be very grateful, if somebody could give me
information
> >>>> about this.
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>> If you are referring to idmap.ldb, then this is an ID
allocating
> >>> system and works on a 'first come basis'. This means
that when a
> >>> user or group contacts idmap.ldb it gets the next available ID
on
> >>> that DC, as users or groups are unlikely to contact in exactly
the
> >>> same order on other DCs, they will get different IDs. This
means
> >>> that you need to sync idmap.ldb between DCs, usually from the
DC
> >>> that holds the PDC_Emulator FSMO role to all other DCs.
> >>>
> >>> Rowland
> >>>    
> >>>
> >> Hi Rowland,
> >>
> >> Precisely, I want to check that the the contents of idmap.ldb are
> >> equal on the two DCs, so for example i want that a specific query
> >> for Administrator to both DCs doesn't return different ids.
The
> >> idmap.ldb file on the DCs have got different sizes, which
> >> triggered my curiosity.
> > One thing I didn't mention is that there three users/groups that
> > always get the same IDs, these are:
> >
> > Administrator: which always gets the ID '0'
> > Domain Users: which always gets the ID '100'
> > Guest: which always gets the ID '65534'
> >
> > I wouldn't worry about the difference in size, just sync idmap.ldb
> > from the machine that holds the PDC_Emulator role to the other DCs.
> >
> >> I saw a post a while back about that, but I didn't succeed to
> >> locate it.
> >>
> >> I don't use winbindd on the DCs, hence there is no winbind
entry in
> >> nsswitch.conf.
> > You must be using winbind on the DCs, the 'samba' daemon
starts it
> > automatically and a DC will not work without it.
> >    
> >> The reason I bring up this is the fact, that I was in a hurry
> >> setting up a new DC and decommission an old one, and I'm now
not
> >> sure that I also synchronized the idmap.ldb file. Otherwise DNS,
> >> rsync and other stuff works without any problems.
> > As I said, just sync idmap.ldb between the DCs.
> >
> > Rowland
> >
> >
> Hi Rowland,
> 
> Thanks for the information. I forgot that winbindd is started 
> automatically. It's not every day I've got any reason to fiddle
> around with the DCs.
> 
> If I remember correctly, you mentioned that for example the 
> administrator can get an id=300000 from one DC and id=300001 from the 
> other DC, but I assume that is if you contact the DCs from a member
> server.
It is usually Domain Admins that gets the '3000000' ID. The ID that any
user or group gets on a Unix domain member will depend on what idmap
backend is used, but it is unlikely to be in the '3000000' range unless
you set it that way (not recommended).
> 
> Syncing the idmap.ldb is it sufficient to just make a copy, or with 
> backup/restore?
Please follow one of the instructions here:

https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

Rowland