LDAP rid attribute in 2.2.3
Alain RICHARD
alain.richard at equation.fr
Wed Feb 6 02:37:03 GMT 2002
Looking at the code and samba.schema, I have observed :
a) that rid attribute is mandatory for users
b) there is no sambaGroup, so no rid for groups
c) that rid are derived from uid and gid (rid = 2*uid + 1000 for users,
rid=2*gid+1001 for groups
d) some special groups are identified with their special rid (for example
Domain Admins=512)
e) the binding from an ldap user to an "NT" group is done using the
primaryGroupID attribute
f) it is possible to bind a unix group to be "Domain Admins" using "domain
admin group" in smb.conf
g) the "smbpasswd -a" command add samba attributes to an existing
posixAccount. Doing so, it adds an rid of 0 to a user and not (2*uid+1000)
.
h) When searching for a user in the ldap directory, samba tries first to
get it by its rid before to try to find it per its uid attribute.
My remarks and questions :
- if rid are always derived from c) computation, isn't it dangerous to
have a separated rid attribute that may not be in sync with the
computation ?
- if rid are the first key for users informations in samba-ldap, isn't the
beavior of smbpasswd (g) a bug ?
- if rid are the first key, it must be indexed in the directory. Why their
is no rid for groups in that case ?
-------------------------------------------------------
Alain RICHARD <mailto:alain.richard at equation.fr>
EQUATION SA <http://www.equation.fr/>
Tel : +33 477 79 48 00 Fax : +33 477 79 48 01
Applications client/serveur, ingénierie réseau et Linux
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1647 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020206/9cd64dac/attachment.bin
More information about the samba-technical
mailing list