When you join one linux server to a domain it maps windows SIDs to linux UIDs (for users) and GIDs (for groups). When you join another server to the same domain it will map the same SIDs but possibly to different numbers (teration of users/groups might come in different order due to network, new users, edits, etc.). This will cause permissions to not work. For example imagine copying a folder from the first server to the second server while perserving permissions (it will preserve the UIDs & GIDs, just the numbers). But each server probably maps those UIDs & GIDs to different windows users & groups (SIDs) so the permissions might not work or might work unpredictably. So you will see different users and groups when you run “ls -lisah
” on the destination (incorrect users and groups, and thus permissions will be broken). The solution is to copy the user id map from one server to the other. Export on one server & import on another server.

Get idmap from the source (where the idmaps are good):

# net idmap dump > {x}
or
# net idmap dump /var/lib/samba/winbindd_idmap.tdb > {x}

NOTE: that if you dont specify /var/lib/samba/winbindd_idmap.tdb its okay because it assumes you want that file as thats where the idmappings are

Replace {x} with the filename you want to backup to (such as /root/idmap.backups)

Now get that file to your destination

Now on the destination (where your putting these id mappings):

If you export the domain ID map, you can run the following commands to import your ID map to your Samba file server .

Stop winbind

If running systemd:

# systemctl stop winbind 

OR if running sysvinit (debian/ubuntu):

# service winbind stop

Make a backup of the current winbind idmaps

# mv /var/lib/samba/winbindd_idmap.tdb /var/lib/samba/winbindd_idmap.tdb.orig

NOTE: now /var/lib/samba/winbindd_idmap.tdb.orig is the backup of your old ID MAPS

NOTE: also you can make a backup like this, this is optional:

# net idmap dump /var/lib/samba/winbindd_idmap.tdb > {y}

Where {y} is a new file that is a “net idmap” dump of the destination boxes original idmaps

Place the domain ID map in your data volume via SMB and then replace {x} with the path to your domain ID map. Use ONE of the two following commands as both give the same result. Do not run both.

# net idmap restore {x}

OR

# net idmap restore /var/lib/samba/winbindd_idmap.tdb < {x}

NOTE: that if you dont specify /var/lib/samba/winbindd_idmap.tdb its okay because it assumes you will edit that file

After running those commands, run “net cache flush” or else your filesystems users will show up wrong when running “ls -lisah”, this will force the filesystem (when you run “ls -lisah”) you will see the correct users and groups.

# net cache flush

Now start winbind back up

If running systemd:

# systemctl start winbind

OR if running sysvinit (debian/ubuntu):

# service winbind start

FINALLY: now you should have all of your correct user ids show up when you do “ls -lisah”, if not just do a reboot and you will be good to go.