[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Jim Seymour jseymour at LinxNet.com
Sat Sep 12 23:38:07 UTC 2015 

On Sat, 12 Sep 2015 21:47:28 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

> On 12/09/15 21:26, Jim Seymour wrote:
[snip]
> > Ah, well... Now there's the question of what attributes are
> > required to create a group.  I suppose I can just dump the
> > existing ldap db and see what groups are already there.
> 
> ldif to create group:
> 
> dn: CN=<groupname>,CN=Users,DC=example,DC=com
> objectClass: group
> cn: <groupname>
> name: <groupname>
> sAMAccountName: <groupname>
> objectCategory:
> CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
> distinguishedName: CN=<groupname>,CN=Users,DC=example,DC=com

Thanks!  (That'll make life a bit easier :).)

> 
[snip]
> > You mean by setting their gidNumber attribute to that group,
> > rather than whatever GID was given to "Domain Users"?, in their
> > sam.ldb record?
> >
> > But I thought you earlier said that would Break Things?
> 
> No' what I said was (in a way you didn't understand) don't change
> the 'primaryGroupID' attribute, this is what makes the user a
> member of Domain Users
> The users 'primaryGroupID' != the Unix users primary group id (this
> is what is stored in the 'gidNumber' attribute)

Got it!

> 
[snip]
> >
> >> As you are probably
> >> aware, on Unix you can only set the permissions for the user,
> >> group or other, but with NTFS ACLs you can set them for user1,
> >> user2, group1, group2 etc etc, all at the same time.
> > You can do the same under Unix/Linux with setfacl.  I've been
> > doing that for years.
> 
> Good, then you know how to use it :-)

Indeed :)

N.B.: And let this be a warning to Unix/Linux Admins: Not all
Unix/Linux backup/archiving utilities preserve and restore ACLs.
Some won't do it at all.  Others require command-line switches.

> 
[snip]
> 
> There has been religious wars on here about calling 'Unix
> permissions' ACLs :-D

There's nothing about which to argue: There are *nix permissions and
there are ACLs.  They are not the same thing, although they're used
to the same end: Determining who has what access to what.

Thanks for all your help, Rowland!  It has been, literally,
invaluable.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the samba mailing list