[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
steve
steve at steve-ss.com
Mon Dec 1 12:16:04 MST 2014
On 01/12/14 19:30, Rowland Penny wrote:
> On 01/12/14 18:23, steve wrote:
>> On 01/12/14 19:11, Rowland Penny wrote:
>>> On 01/12/14 17:46, steve wrote:
>>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>>> On 01/12/14 17:16, steve wrote:
>>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> I do what windows does, it ignores the RID (what you call 'the
>>>>>>>>>>> last
>>>>>>>>>>> set
>>>>>>>>>> of digits from SID') and uses a builtin mechanism to store the
>>>>>>>>>> next
>>>>>>>>>> uid &
>>>>>>>>>> gidNumber.
>>>>>>>>>
>>>>>>>>>
>>>>
>>>>
>>>> Take this dangerously incorrect fact:
>>>>>>>>> The builtin users/groups use the RID for the GID/UID.
>>>> No.
>>>>
>>>>
>>>>>>>>
>>>>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
>>>>>>>> 300000?
>>>>>>>>
>>>>>>>>
>>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> English please. Notice the question mark after the last '0';)
>>>>>
>>>>> I thought I was speaking (well typing) English :-D
>>>>>
>>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
>>>>> in idmap.ldb.
>>>>>
>>>>> Does that answer all questions ??????
>>>>>
>>>>> Rowland
>>>>
>>>>
>>>
>>> In the context of the OP's statement, he was sort of correct, the
>>> builtin user/group RID's are used to get to the ID numbers.
>>>
>>> Take Administrators for example:
>>>
>>> RID 'S-1-5-32-544'
>>> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
>>> xidNumber '3000000'
>>>
>>> This xidnumber is used as the groups gidNumber
>>>
>>> The xidNumber is stored in idmap.ldb
>>>
>>> dn: CN=S-1-5-32-544
>>> cn: S-1-5-32-544
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-544
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000000
>>> distinguishedName: CN=S-1-5-32-544
>>>
>>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>>
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: var/lib/samba/sysvol/
>>> # owner: root
>>> # group: 3000000
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:3000000:rwx
>>> group:3000001:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:3000000:rwx
>>> default:group:3000001:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Now what part of the above is wrong ??
>>>
>> Hi
>> '...sort of correct' is misleading enough and is to be discouraged.
>> But unqualified statements which are incorrect should be banned.
>> 'The builtin users/groups use the RID for the GID/UID.', is incorrect.
>> Not only is it incorrect, but it is the opposite of what we would wish
>> to achieve, especially with the low uids and gids which would ensue.
>>
>> Many of us here have wasted enough of our time reading threads on
>> mailing lists which are incorrect.
>>
>> Thank you for the qualification.
>>
>>> Rowland
>>>
>>
> When you put it that way, then yes it was wrong, 'The builtin
> users/groups use the RID for their GID/UID.' would have been better,
> that is, if you can spot the difference :-D
>
> Rowland
>
Even worse. 'On a DC, the builtin users/groups use a GID/UID which is
unrelated to their RID' is less misleading. It is unfortunate that they
vary depending on where you are in a domain.
More information about the samba
mailing list