When you join one linux server to a domain it maps windows SIDs to linux UIDs (for users) and GIDs (for groups). When you join another server to the same domain it will map the same SIDs but possibly to different numbers (teration of users/groups might come in different order due to network, new users, edits, etc.). This will cause permissions to not work. For example imagine copying a folder from the first server to the second server while perserving permissions (it will preserve the UIDs & GIDs, just the numbers). But each server probably maps those UIDs & GIDs to different windows users & groups (SIDs) so the permissions might not work or might work unpredictably. So you will see different users and groups when you run “ls -lisah
” on the destination (incorrect users and groups, and thus permissions will be broken). The solution is to copy the user id map from one server to the other. Export on one server & import on another server.

Get idmap from the source (where the idmaps are good):

NOTE: that if you dont specify /var/lib/samba/winbindd_idmap.tdb its okay because it assumes you want that file as thats where the idmappings are

Replace {x} with the filename you want to backup to (such as /root/idmap.backups)

Now get that file to your destination

Now on the destination (where your putting these id mappings):

If you export the domain ID map, you can run the following commands to import your ID map to your Samba file server .

Stop winbind

If running systemd:

OR if running sysvinit (debian/ubuntu):

Make a backup of the current winbind idmaps

NOTE: now /var/lib/samba/winbindd_idmap.tdb.orig is the backup of your old ID MAPS

NOTE: also you can make a backup like this, this is optional:

Where {y} is a new file that is a “net idmap” dump of the destination boxes original idmaps

Place the domain ID map in your data volume via SMB and then replace {x} with the path to your domain ID map. Use ONE of the two following commands as both give the same result. Do not run both.

OR

NOTE: that if you dont specify /var/lib/samba/winbindd_idmap.tdb its okay because it assumes you will edit that file

After running those commands, run “net cache flush” or else your filesystems users will show up wrong when running “ls -lisah”, this will force the filesystem (when you run “ls -lisah”) you will see the correct users and groups.

Now start winbind back up

If running systemd:

OR if running sysvinit (debian/ubuntu):

FINALLY: now you should have all of your correct user ids show up when you do “ls -lisah”, if not just do a reboot and you will be good to go.

Leave a Reply

Your email address will not be published. Required fields are marked *