Web lists-archives.com

Re: [Samba] Verifying idmap.ldb consistency across domain controllers

On 5/8/2018 9:40 AM, Rowland Penny via samba wrote:
On Tue, 8 May 2018 09:23:42 -0400
lingpanda101 via samba <samba@xxxxxxxxxxxxxxx> wrote:

My concern is with human error and built in groups. I'm using RFC2307
on all DC's so all UID's and GID's for manually created user & groups
I should be good. I'm pretty confident for all DC's I have added to
the domain, I took the step to copy and replace idmap.ldb. If I
search for one builtin user and group and verify XID's across domain
controllers. Can I deduce I have in fact took care to copy and
replace idmap.ldb from the 1st DC? What are some tell tell signs of
idmap.ldb inconsistency? Thanks for any guidance.
The one real inconsistency would be the BUILTIN users and groups and
if it wasn't for sysvol, even this wouldn't be a problem.

Once a user or group is given a *idNumber, this will be used instead of
the xidNumber stored in idmap.ldb, so comparing a BUILTIN user or group
xidNumber in the first DCs idmap.ldb with the same data on another DC
is probably the only way of telling for sure. Having said that, it
would probably be easier to set up a cron job to sync idmap.ldb on a
regular basis.


If I setup a cron job to sync. Is it necessary to stop Samba prior to replacing idmap.ldb on the 2nd, 3rd etc. DC?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba