[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
Rowland Penny
rowlandpenny at googlemail.com
Mon Dec 1 12:20:35 MST 2014
On 01/12/14 19:16, steve wrote:
> On 01/12/14 19:30, Rowland Penny wrote:
>> On 01/12/14 18:23, steve wrote:
>>> On 01/12/14 19:11, Rowland Penny wrote:
>>>> On 01/12/14 17:46, steve wrote:
>>>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>>>> On 01/12/14 17:16, steve wrote:
>>>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I do what windows does, it ignores the RID (what you call 'the
>>>>>>>>>>>> last
>>>>>>>>>>>> set
>>>>>>>>>>> of digits from SID') and uses a builtin mechanism to store the
>>>>>>>>>>> next
>>>>>>>>>>> uid &
>>>>>>>>>>> gidNumber.
>>>>>>>>>>
>>>>>>>>>>
>>>>>
>>>>>
>>>>> Take this dangerously incorrect fact:
>>>>>>>>>> The builtin users/groups use the RID for the GID/UID.
>>>>> No.
>>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
>>>>>>>>> 300000?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> English please. Notice the question mark after the last '0';)
>>>>>>
>>>>>> I thought I was speaking (well typing) English :-D
>>>>>>
>>>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all
>>>>>> this
>>>>>> in idmap.ldb.
>>>>>>
>>>>>> Does that answer all questions ??????
>>>>>>
>>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> In the context of the OP's statement, he was sort of correct, the
>>>> builtin user/group RID's are used to get to the ID numbers.
>>>>
>>>> Take Administrators for example:
>>>>
>>>> RID 'S-1-5-32-544'
>>>> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
>>>> xidNumber '3000000'
>>>>
>>>> This xidnumber is used as the groups gidNumber
>>>>
>>>> The xidNumber is stored in idmap.ldb
>>>>
>>>> dn: CN=S-1-5-32-544
>>>> cn: S-1-5-32-544
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-32-544
>>>> type: ID_TYPE_BOTH
>>>> xidNumber: 3000000
>>>> distinguishedName: CN=S-1-5-32-544
>>>>
>>>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>>>
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: var/lib/samba/sysvol/
>>>> # owner: root
>>>> # group: 3000000
>>>> user::rwx
>>>> user:root:rwx
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> Now what part of the above is wrong ??
>>>>
>>> Hi
>>> '...sort of correct' is misleading enough and is to be discouraged.
>>> But unqualified statements which are incorrect should be banned.
>>> 'The builtin users/groups use the RID for the GID/UID.', is incorrect.
>>> Not only is it incorrect, but it is the opposite of what we would wish
>>> to achieve, especially with the low uids and gids which would ensue.
>>>
>>> Many of us here have wasted enough of our time reading threads on
>>> mailing lists which are incorrect.
>>>
>>> Thank you for the qualification.
>>>
>>>> Rowland
>>>>
>>>
>> When you put it that way, then yes it was wrong, 'The builtin
>> users/groups use the RID for their GID/UID.' would have been better,
>> that is, if you can spot the difference :-D
>>
>> Rowland
>>
> Even worse. 'On a DC, the builtin users/groups use a GID/UID which is
> unrelated to their RID' is less misleading. It is unfortunate that
> they vary depending on where you are in a domain.
Oh please, don't confuse Greg even more than he is now :-D
Rowland
More information about the samba
mailing list