Web lists-archives.com

Re: [Samba] Convert Unix GID into Samba SID




On Mon, 04 Dec 2017 14:17:09 +0700
Olivier via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> It is time I migrate from Samba 3.6 to Samba 4.
> 
> But the classicupdate fails because there is no group defined for my
> LDAP users. Well, users have a group, but it is a Unix only group. I
> never bothered to do any group mapping between Unix and Samba 3, I
> never needed it.
> 
> I found out, a long long time ago that the relationship between UID
> and SID is SID=2*UID+1000.
> 
> I am not sure of what I should do? Now.
> 
> Add and SID in my groups in LDAP? If so, how to calculate the SID?

You could add the group to AD and map it to the Linux group and
depending on how your smb.conf is set up, it may get its own RID. Note
it is 'RID' not 'SID', the 'SID' is the the first part of the long ID
that starts with 'S-1-5-21', the 'RID' is the last part of this ID. An
example SID-RID is S-1-5-21-1768301897-3342589593-1064908849-3601, the
'S-1-5-21-1768301897-3342589593-1064908849' identifies the domain and
'3601' is the unique number that identifies the object.

The very fact that you think 'SID=2*UID+1000' is still valid, probably
means that you have RIDs like 513 and 3010 in ldap. Time has shown that
using such low numbers wasn't a good idea.

It may be better to start with a new AD domain, rather than upgrading
your old NT4-style domain.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba