Web lists-archives.com

Re: [Samba] Best way to generate Unix UIDs and GIDs?




On Sun, 14 Jan 2018 14:53:15 +0100
Yvan Masson via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> For a new samba domain, I need to create users and groups with Unix
> UIDs and GIDs.
> 
> In the future, it is possible that there will be a trust with other
> domains, so I need to take care that there won't be any UID/GID
> conflict. Also, I assume that in the future Samba will be able to
> restore deleted objects, so I need to avoid conflicts with those
> objects as well.
> 
> This makes me think that a good way would be to generate UIDs/GUIDs
> from SID. I know SSSD does it (apparently not ensuring
> consistency[1]), but I could not find a script that does only this.
> However, I found this python script[2] which seems to be what
> Centrify does.
> 
> What do you think about all of this?
> 
> Regards,
> Yvan
> 
> 1.
> https://funinit.wordpress.com/2017/09/14/integrating-red-hat-with-active-directory/
> 2. https://gist.github.com/msmorul/11217186
> 

Can I suggest you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

and this:

https://wiki.samba.org/index.php/Idmap_config_rid

winbind will do what you require, I cannot comment on [1], sssd has
NOTHING to do with Samba. I also cannot recommend using [2], from
examining the script, it would appear that it would be possible to get
the same ID for two users from different domains e.g. if we take these
two SID-RIDS:

S-1-5-21-1768301897-3342589593-1064908849-3601

S-1-5-21-2879412908-4453690604-1064908849-3601

It appears the script would take a portion of the end of the SID, add
'0' the the RID, so they could be:
06490884903601
and
06490884903601

How would Samba and Unix tell them apart ?
Windows could tell the two SID-RIDs apart.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba