Web lists-archives.com

Re: [Samba] Verifying idmap.ldb consistency across domain controllers




On Tue, 8 May 2018 09:23:42 -0400
lingpanda101 via samba <samba@xxxxxxxxxxxxxxx> wrote:

> My concern is with human error and built in groups. I'm using RFC2307
> on all DC's so all UID's and GID's for manually created user & groups
> I should be good. I'm pretty confident for all DC's I have added to
> the domain, I took the step to copy and replace idmap.ldb. If I
> search for one builtin user and group and verify XID's across domain
> controllers. Can I deduce I have in fact took care to copy and
> replace idmap.ldb from the 1st DC? What are some tell tell signs of
> idmap.ldb inconsistency? Thanks for any guidance.

The one real inconsistency would be the BUILTIN users and groups and
if it wasn't for sysvol, even this wouldn't be a problem.

Once a user or group is given a *idNumber, this will be used instead of
the xidNumber stored in idmap.ldb, so comparing a BUILTIN user or group
xidNumber in the first DCs idmap.ldb with the same data on another DC
is probably the only way of telling for sure. Having said that, it
would probably be easier to set up a cron job to sync idmap.ldb on a
regular basis.

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba