samba - Dec 2024 - preparing for a new site with an extra domain controller

Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> On Mon, 16 Dec 2024 10:33:59 +0100
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
>> 1) sync it at first
>> 2) do not sync it every time with sysvol
>> 3) sync it periodically
> 
> I am now not entirely convinced that '3' is required if you only
use
> the DC in the recommended way, that is only for authentication and no
> shares other than sysvol & netlogon.
I run them this way.
> The 'idmap_ldb' backend, that a DC uses, allocates the IDs on a
first
> come basis and because the AD admin users & groups generally do not get
> the same IDs on all DCs, then you need to ensure that these users &
> groups have the same IDs on all DCs. The way to do this is to sync
> idmap.ldb from the DC that holds the 'main' Sysvol to all others.
Now,
> as the users that you want to have the same IDs on all DCs only get
> their ID once, it doesn't really matter that your main users have
> different IDs, they aren't really used on the DCs, Windows and Unix
> domain members ensure they are known on those machines.
Does /var/lib/samba/private/idmap.ldb (path on debian) contain all the 
users?

If I don't resync it I assume it is updated by the ad-replication within 
samba, right? Otherwise new users wouldn't be distributed.

(just wondering)

OK, I will start that third DC as I did start the second: run steps 1) 
and 2)

thanks!

On Tue, 17 Dec 2024 09:01:55 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> > On Mon, 16 Dec 2024 10:33:59 +0100
> > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
> 
> >> 1) sync it at first
> >> 2) do not sync it every time with sysvol
> >> 3) sync it periodically
> > 
> > I am now not entirely convinced that '3' is required if you
only use
> > the DC in the recommended way, that is only for authentication and
> > no shares other than sysvol & netlogon.
> 
> I run them this way.
> 
> > The 'idmap_ldb' backend, that a DC uses, allocates the IDs on
a
> > first come basis and because the AD admin users & groups generally
> > do not get the same IDs on all DCs, then you need to ensure that
> > these users & groups have the same IDs on all DCs. The way to do
> > this is to sync idmap.ldb from the DC that holds the 'main'
Sysvol
> > to all others. Now, as the users that you want to have the same IDs
> > on all DCs only get their ID once, it doesn't really matter that
> > your main users have different IDs, they aren't really used on the
> > DCs, Windows and Unix domain members ensure they are known on those
> > machines.
> 
> Does /var/lib/samba/private/idmap.ldb (path on debian) contain all
> the users?
Yes

this is me on a DC:

adminuser at rpidc1:~ $ getent passwd rowland
SAMDOM\rowland:*:3000020:100:Rowland
Penny:/home/SAMDOM/rowland:/bin/bash

And in idmap.ldb:

dn: CN=S-1-5-21-627072207-2265849604-124128874-1104
cn: S-1-5-21-627072207-2265849604-124128874-1104
objectClass: sidMap
objectSid: S-1-5-21-627072207-2265849604-124128874-1104
type: ID_TYPE_BOTH
xidNumber: 3000020
distinguishedName: CN=S-1-5-21-627072207-2265849604-124128874-1104

Now it wouldn't matter if that 'xidNumber' is different on the other
DCs because I have no shares on the DC (and I don't it would matter if
there were) because Samba knows who I am, notice my name isn't in
idmap.ldb

> 
> If I don't resync it I assume it is updated by the ad-replication
> within samba, right? Otherwise new users wouldn't be distributed.
Yes, but they are replicated in sam.ldb, so the local machine knows who
the SID is.
> 
> (just wondering)
> 
> OK, I will start that third DC as I did start the second: run steps
> 1) and 2)
> 
> thanks!
> 
> 
No Problem.

Rowland

This is how I do it.

http://samba.bigbird.es/doku.php?id=samba:sync-idmap.ldb

On Dec 17, 2024 at 09:02 +0100, Stefan G. Weichinger via samba <samba at
lists.samba.org>, wrote:
> Am 16.12.24 um 12:23 schrieb Rowland Penny via samba:
> > On Mon, 16 Dec 2024 10:33:59 +0100
> > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
>
> > > 1) sync it at first
> > > 2) do not sync it every time with sysvol
> > > 3) sync it periodically
> >
> > I am now not entirely convinced that '3' is required if you
only use
> > the DC in the recommended way, that is only for authentication and no
> > shares other than sysvol & netlogon.
>
> I run them this way.
>
> > The 'idmap_ldb' backend, that a DC uses, allocates the IDs on
a first
> > come basis and because the AD admin users & groups generally do
not get
> > the same IDs on all DCs, then you need to ensure that these users
&
> > groups have the same IDs on all DCs. The way to do this is to sync
> > idmap.ldb from the DC that holds the 'main' Sysvol to all
others. Now,
> > as the users that you want to have the same IDs on all DCs only get
> > their ID once, it doesn't really matter that your main users have
> > different IDs, they aren't really used on the DCs, Windows and
Unix
> > domain members ensure they are known on those machines.
>
> Does /var/lib/samba/private/idmap.ldb (path on debian) contain all the
> users?
>
> If I don't resync it I assume it is updated by the ad-replication
within
> samba, right? Otherwise new users wouldn't be distributed.
>
> (just wondering)
>
> OK, I will start that third DC as I did start the second: run steps 1)
> and 2)
>
> thanks!
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba