LDAP rid attribute in 2.2.3

Alain RICHARD alain.richard at equation.fr
Wed Feb 6 02:37:03 GMT 2002

Looking at the code and samba.schema, I have observed :

a) that rid attribute is mandatory for users
b) there is no sambaGroup, so no rid for groups
c) that rid are derived from uid and gid (rid = 2*uid + 1000 for users, 
rid=2*gid+1001 for groups
d) some special groups are identified with their special rid (for example 
Domain Admins=512)
e) the binding from an ldap user to an "NT" group is done using the 
primaryGroupID attribute
f) it is possible to bind a unix group to be "Domain Admins" using "domain 
admin group" in smb.conf
g) the "smbpasswd -a" command add samba attributes to an existing 
posixAccount. Doing so, it adds an rid of 0 to a user and not (2*uid+1000)
h) When searching for a user in the ldap directory, samba tries first to 
get it by its rid before to try to find it per its uid attribute.

My remarks and questions :

- if rid are always derived from c) computation, isn't it dangerous to 
have a separated rid attribute that may not be in sync with the 
computation ?
- if rid are the first key for users informations in samba-ldap, isn't the 
beavior of smbpasswd (g) a bug ?
- if rid are the first key, it must be indexed in the directory. Why their 
is no rid for groups in that case ?

Alain RICHARD <mailto:alain.richard at equation.fr>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00	 Fax : +33 477 79 48 01
Applications client/serveur, ingénierie réseau et Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1647 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020206/9cd64dac/attachment.bin

More information about the samba-technical mailing list