Re: [Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
- Date: Mon, 15 Jan 2018 19:14:12 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
On Mon, 15 Jan 2018 19:51:12 +0100
Prunk Dump via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Thank again for your help !
> 2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny@xxxxxxxxx>:
> > The problem is, you are thinking in the wrong direction ;-)
> > If you give a user a uidNumber, or a group a gidNumber, these will
> > be used instead of the xidNumbers found in idmap.ldb, you do not
> > need to alter idmap.ldb at all.
> > The way ADUC works, is by using a couple of attributes, that, by
> > default Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
> > 'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber.
> > They should be in:
> > dn:
> > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
> > Where 'samdom' is your lowercase workgroup and
> > 'DC=samdom,DC=example,DC=com' is your realm/dns domain.
> > If you can write scripts, I am sure you can figure out how to use
> > them ;-)
> > If not, contact me off list and I will provide a sample.
> On my SAM database I have an CN=samdom,CN=ypservers entry :
> # ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
> # record 1
> objectClass: top objectClass: msSFU30DomainInfo
> cn: fichnet
> instanceType: 4
> whenCreated: 20150630144502.0Z
> whenChanged: 20150630144502.0Z
> uSNCreated: 3768
> uSNChanged: 3768
> showInAdvancedViewOnly: TRUE
> name: fichnet
> objectGUID: e1b63980-512f-451b-a2d7-c4abdbb03a3c
> yc-guillaume-fichet,DC=ac-grenoble,DC=fr msSFU30MasterServerName:
> FICHDC msSFU30OrderNumber: 10000
> msSFU30Domains: fichnet
> But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values.
No there isn't, Samba doesn't add them, it adds everything else, just
not those two attributes. You need to add something like this:
Note, you will need to find the highest uidNumber and gidNumber, add 1
to it and replace '10000' with these numbers.
> Do you know if this current entry was created by samba or by some
> Windows administration tools ?
> Do you know if I need to add a class to add the msSFU30MaxUidNumber
> and msSFU30MaxGidNumber values ?
No you don't need add any other objectclasses
> (I don't know how to read schema specification directly inside the
> 2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba
> > Hello,
> > I understand the OP, I was asking some time ago similar question,
> > but it was in relation to samba domain member. I couldn't get
> > backend: ad to work for machine accounts, so i switched to idmap:
> > rid and it solved everything. I tried manually adding UID and GID
> > to Domain Computer group and to machine accounts, but it didn't
> > seem to work properly, so I gave up especially that RID was
> > perfectly fine.
> Thanks, but I also use the others rfc2307 attributes. Not only
> uidNumber and gidNumber. So I need to keep all the rfc2307 values
> updated and I can't switch to RID. Moreover, the file system is also
> exported by NFSv4 so I need consistant ID on all the
You can add the required attributes with ldapmodify or ldbmodify, as I
said, I can supply sample scripts to show the basics.
To unsubscribe from this list go to the following URL and read the