Synchronize idmap.ldb Between Domain Controllers
Notes from Rowland Penny (Samba Team):
“You need to sync idmap.ldb from the DC holding the PDC_Emulator FSMO role to all other DCs. This ensures that all DCs will use the same IDs. If you do not sync idmap.ldb, you can and will get different IDs on each DC. […] The reason why idmap.ldb must be synced between DCs is simple. On DCs the users and groups (which are all stored in AD) are mapped to 'xidNumber' attributes in idmap.ldb, this is done so that groups (mostly) can be mapped to 'ID_TYPE_BOTH' and as such, are both groups and users. This allows groups to 'own' things in sysvol. […] For best results, sync idmap.ldb on a semi-regular basis, this will ensure that the IDs on the DCs match.”
See this article if you want further info on ID mapping.
Backup idmap.ldb on the DC Owning PDC Emulator Role
On the DC holding the FSMO PDC_Emulator role (typically the first DC you provisioned unless you have transferred the roles).
If you don't know which DC owns the role, please see the FSMO page. Let's assume it's DC1 `192.168.0.2`.
# Install ldb-tools if it is not installed apt-get install ldb-tools rm -f /var/lib/samba/private/idmap.ldb.bak tdbbackup -s .bak /var/lib/samba/private/idmap.ldb
Once you are happy with the result, schedule a daily cron job:
# Create idmap.ldb backup 0 3 * * * rm -f /var/lib/samba/private/idmap.ldb.bak && tdbbackup -s .bak /var/lib/samba/private/idmap.ldb >/dev/null 2>&1
Copy idmap.ldb to Other DCs and Check / Reset SysVol Folders
If you followed these notes from the beginning, rsync will already be installed. Otherwise, please install rsync.
You need to perform this procedure on the DCs not holding the PDC emulator role in your AD infrastructure.
This example is getting the `idmap.ldb` from `dc1`:
rsync -a dc1:/var/lib/samba/private/idmap.ldb.bak /var/lib/samba/private/idmap.ldb net cache flush
After updating `idmap.ldb`, you need to check SysVol ACL permissions on the DCs and reset them if needed. This command checks permissions of SysVol and resets them if necessary:
if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi
Once you are happy with the result, schedule a daily cron job:
# Sync idmap.ldb 15 4 * * * rsync -a dc1:/var/lib/samba/private/idmap.ldb.bak /var/lib/samba/private/idmap.ldb && net cache flush && if ! samba-tool ntacl sysvolcheck; then samba-tool ntacl sysvolreset; fi >/dev/null 2>&1
Caponato's Samba notebook. Start here or return to Main menu.