[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 1 11:11:16 MST 2014 

On 01/12/14 17:46, steve wrote:
> On 01/12/14 18:25, Rowland Penny wrote:
>> On 01/12/14 17:16, steve wrote:
>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>> On 01/12/14 17:09, steve wrote:
>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>> I do what windows does, it ignores the RID (what you call 'the 
>>>>>>>> last
>>>>>>>> set
>>>>>>> of digits from SID') and uses a builtin mechanism to store the next
>>>>>>> uid &
>>>>>>> gidNumber.
>>>>>>
>>>>>>
>
>
> Take this dangerously incorrect fact:
>>>>>> The builtin users/groups use the RID for the GID/UID.
> No.
>
>
>>>>>
>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is 
>>>>> 300000?
>>>>>
>>>>>
>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>
>>>> Rowland
>>>>
>>> English please. Notice the question mark after the last '0';)
>>
>> I thought I was speaking (well typing) English :-D
>>
>> Lets put it this way, samba4 gets the RID for Administrators
>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
>> in idmap.ldb.
>>
>> Does that answer all questions ??????
>>
>> Rowland
>
>

In the context of the OP's statement, he was sort of correct, the 
builtin user/group RID's are used to get to the ID numbers.

Take Administrators for example:

RID 'S-1-5-32-544'
Winbind gets this, it is meaningless on Unix, so it gets mapped to an 
xidNumber '3000000'

This xidnumber is used as the groups gidNumber

The xidNumber is stored in idmap.ldb

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

If you run 'getfacl /var/lib/samba/sysvol/' , you get this:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Now what part of the above is wrong ??

Rowland

More information about the samba mailing list