Re: [Samba] Best way to generate Unix UIDs and GIDs?
- Date: Mon, 15 Jan 2018 10:13:28 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Best way to generate Unix UIDs and GIDs?
On Mon, 15 Jan 2018 10:25:34 +0100
Yvan Masson via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Le 14/01/2018 à 15:51, Rowland Penny via samba a écrit :
> > Can I suggest you read this:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> > and this:
> > https://wiki.samba.org/index.php/Idmap_config_rid
> I was thinking that a good practice would be to fill uidNumber and
> guidNumber attributes in Samba AD, and that RID ID mapping would not
> be adequate for many network. After reading this doc again, and making
> apart home path, shell and gecos, it seems I was wrong and that using
> rfc2307 is not worth the effort for many setups.
> > winbind will do what you require, I cannot comment on , sssd has
> > NOTHING to do with Samba.
> I know sssd has nothing to do with Samba, but it is usually Samba
> admin that would add Unix UIDs/GIDs to AD, hence my question on this
> mailing list.
Possibly, but you don't need sssd because winbind can do most of what
sssd can do and winbind is part of Samba, sssd isn't. If you have
questions about sssd, please ask them on the sssd-users mailing list.
> I also cannot recommend using , from
> > examining the script, it would appear that it would be possible to
> > get the same ID for two users from different domains e.g. if we
> > take these two SID-RIDS:
> > S-1-5-21-1768301897-3342589593-1064908849-3601
> > S-1-5-21-2879412908-4453690604-1064908849-3601
> > It appears the script would take a portion of the end of the SID,
> > add '0' the the RID, so they could be:
> > 06490884903601
> > and
> > 06490884903601
> > How would Samba and Unix tell them apart ?
> > Windows could tell the two SID-RIDs apart.
> Thanks for spotting the weakness of this script.
> Thus I believe a perfect solution to calculate UIDs/GIDs from SID does
> not exist yet, or is not possible (no maths formula can ensure
> uniqueness of Unix IDs from SIDs across domain).
The winbind 'rid' backend calculates UID/GID from the RID:
ID = RID - BASE_RID + LOW_RANGE_ID
>From this you can see that, provided you set up smb.conf correctly, you
can get different Unix IDs for the same RID from different domains.
To unsubscribe from this list go to the following URL and read the