On Wed, 13 Sep 2023 18:42:47 -0700
Steven Monai via samba <samba at lists.samba.org> wrote:
> On 2023-09-13 8:36 a.m., Rowland Penny via samba wrote:
> > On Wed, 13 Sep 2023 07:27:44 -0700
> > Steven Monai via samba <samba at lists.samba.org> wrote:
> >> I also have some questions about this.
> >>
> >> Firstly: In my current process for Samba AD domain deployments,
> >> when joining a machine to the domain, I copy the idmap.ldb from
> >> the DC holding the FSMO PDC_Emulator_Role to each machine joining
> >> the domain *exactly once*: at the time of the initial join. Should
> >> I *also* create a periodic process that resyncs idmap.ldb from
> >> PDC_Emulator to domain-member servers (and to DCs that do not hold
> >> FSMO roles) on a regular basis?
> >
> > From that, it sounds like you copy idmap.ldb to all Samba
> > computers, if so, then please stop doing this. You only use
> > idmap.ldb on Samba AD DCs, it is never used on Unix domain members.
>
> Got it: Only copy the idmap.ldb to DCs, never to mere domain members.
>
> [snip]
>
> >> Or is
> >> there some other event that should trigger a sync of idmap.ldb to
> >> domain members?
> >
> > Just in case you haven't got it yet, there is nothing that will or
> > should trigger the sync of idmap.ldb to a Unix domain member.
>
> Of course. That is implied by your answer to my first question.
>
> >> And finally: What is meant by "it shouldn't be needed
every time"?
> >> Are there instances where a domain-join does not require syncing
> >> idmap.ldb to the joining machine?
> >
> > There are domain joins and then there are domain joins.
>
> Yes, I get that. Joining a DC is different from joining a mere member.
>
> [snip]
>
> > The reason why idmap.ldb must be synced between DCs is simple. On
> > DCs the users and groups (which are all stored in AD) are mapped to
> > 'xidNumber' attributes in idmap.ldb, this is done so that
groups
> > (mostly) can be mapped to 'ID_TYPE_BOTH' and as such, are both
> > groups and users, this allows groups to 'own' things in
sysvol.
> >
> > If there is anything else that you don't understand or I
haven't
> > explained fully, please ask.
>
> Okay:
>
> So, in my current process for Samba AD domain deployments, when
> joining a machine as a new DC to the domain, I copy the idmap.ldb
> from the DC holding the PDC_Emulator role to the new DC *exactly
> once*, at the time the join is created. Should I *also* create a
> periodic process that re-syncs idmap.ldb from the PDC_Emulator DC to
> the other DCs on a regular basis? Or should the one-time sync at
> join-creation time be good enough?
>
> Thank you for your time.
>
> -S.M.
>
>
Once may be enough, but then again it might not be. Sorry if I sound a
bit woolly here, but some of this will depend on how long the first DC
has been running and if the various users & groups have become known to
it. For best results, sync idmap.ldb on a semi-regular basis, this will
ensure that the IDs on the DCs match.
Rowland