On Wed, 13 Sep 2023 07:27:44 -0700
Steven Monai via samba <samba at lists.samba.org> wrote:
> On 2023-09-13 6:49 a.m., Rowland Penny via samba wrote:
> > On Wed, 13 Sep 2023 13:13:24 +0000
> > bd730c5053df9efb via samba <samba at lists.samba.org> wrote:
> >
> >> I'm going to piggyback on this answer and ask something that
I've
> >> been wondering. Is the idmap.ldb sync mentioned in the linked page
> >> a one time thing before you replicate the sysvol or is it
> >> something you should do periodically? If so, how often?
> >>
> >
> > It needs to be done initially and then on a regular basis, though it
> > shouldn't be needed every time.
>
> I also have some questions about this.
>
> Firstly: In my current process for Samba AD domain deployments, when
> joining a machine to the domain, I copy the idmap.ldb from the DC
> holding the FSMO PDC_Emulator_Role to each machine joining the domain
> *exactly once*: at the time of the initial join. Should I *also*
> create a periodic process that resyncs idmap.ldb from PDC_Emulator to
> domain-member servers (and to DCs that do not hold FSMO roles) on a
> regular basis?
From that, it sounds like you copy idmap.ldb to all Samba computers, if
so, then please stop doing this. You only use idmap.ldb on Samba AD
DCs, it is never used on Unix domain members.
>
> Secondly: If yes to my first question: How often should idmap.ldb be
> synced to member servers?
Never, you only sync idmap.ldb to Samba AD DCs.
> What is a reasonable time period?
Never.
> Or is
> there some other event that should trigger a sync of idmap.ldb to
> domain members?
Just in case you haven't got it yet, there is nothing that will or
should trigger the sync of idmap.ldb to a Unix domain member.
>
> And finally: What is meant by "it shouldn't be needed every
time"?
> Are there instances where a domain-join does not require syncing
> idmap.ldb to the joining machine?
There are domain joins and then there are domain joins.
If you require another DC, then you can 'join' a computer as a DC, this
is when you should sync idmap.ldb from the first DC.
If you require a fileserver or a printserver, then you can join a
computer as a Unix domain member. This will not be able to authenticate
anything, in fact it will authenticate from the DC(s) and you do not
sync idmap.ldb to this computer.
The reason why idmap.ldb must be synced between DCs is simple. On DCs
the users and groups (which are all stored in AD) are mapped to
'xidNumber' attributes in idmap.ldb, this is done so that groups
(mostly) can be mapped to 'ID_TYPE_BOTH' and as such, are both groups
and users, this allows groups to 'own' things in sysvol.
If there is anything else that you don't understand or I haven't
explained fully, please ask.
Rowland