Web lists-archives.com

Re: [Samba] User management scripts in AD mode...




On Mon, 10 Jul 2017 16:58:41 +0200
Marco Gaiarin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> I add another question, lurking the list in these weeks. It seems to
> me that some users/group does not to have UID/GID (i suppose
> generically rfc2307 data) assigned.
> Eg, looking also at your answer here, seems that Admnistrator it is
> better not to have UID and only 'domain users' and 'domain computers'
> need a UID.
> 
> After the migration with 'classicupgrade' i've:
> 
>  root@lupus:~# getent passwd | grep -i administrator
>  root@lupus:~# getent group | egrep ":5[0-9][0-9]:"
>  domain computers:*:515:

The above group doesn't really need a gidNumber, it is only used by AD.

>  domain admins:*:512:gaio,amaronese,lucaf

Ah here is possible problem, if you give 'Domain Admins' a gidNumber,
it just becomes a group as far as Unix is concerned, but 'Domain
Admins' needs to be a user as well to own dirs in sysvol, this is what
happens on a DC if 'Domain Admins doesn't have a gidNumber.

>  domain guests:*:514:

This shouldn't have a gidNumber either, it is again mapped on a DC (and
a Unix domain member by winbind)

>  domain users:*:513:amaronese,gaio

It is perfectly okay to give 'Domain Users' a gidNumber

The main problem with the above gidNumbers is that they are all in the
'500' range. Somebody, sometime in the past thought this was okay, Now,
with hindsight, it has proved to be a bad idea ;-)

Using such low numbers means that you cannot have ANY local Unix users. 

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba