Rowland Penny repenny241155 at
Wed Oct 9 03:01:55 MDT 2013

On 09/10/13 03:56, Andrew Bartlett wrote:
> On Sun, 2013-10-06 at 14:16 +0100, Rowland Penny wrote:
>> You then need to add the following ldif.
>> dn: CN=<username>,CN=Users,DC=example,DC=com
>> changetype: modify
>> add: msSFU30NisDomain
>> msSFU30NisDomain: <your domain>
>> -
>> add: msSFU30Name
>> msSFU30Name: <username>
>> -
>> add: description
>> description: A UNIX user
>> Once the user is created, 'msSFU30MaxUidNumber' needs to be updated to
>> the next number.
>> Now, having shown how it can be done at the moment, I think that
>> samba-tool should be altered to match the way that windows ADUC works
>> i.e. change '--uid-number=UID_NUMBER' to a switch 'with-uidNumber', this
>> switch would then get the required uidNumber from  'msSFU30MaxUidNumber'
>> and add this, along with the required Unix attributes to the user, then
>> update 'msSFU30MaxUidNumber'.
>> Please do not suggest that I do this myself, because to me, python is a
>> type of snake ;-)
> The issue is that msSFU30MaxUidNumber is not magic in any way in AD, and
> so if two scripts or users operate at different ends of the company at
> the same time, nothing will prevent allocation of duplicate UID values.
ER, what happened to samba4 behaving just like windows, 
msSFU30MaxUidNumber is not something I came up with, it is something 
Microsoft did and it is used by ADUC.

> ID mapping is hard.
Your not kidding, and it is not helped by everybody doing something 
different, there needs to be a standard.

> The best solution I've seen, but we still have not implemented is to use
> trustPosixOffset on each trusted domain, which is allocated on the
> naming master (in Windows AD, Samba doesn't know about it yet), and so
> would be unique we combined with an enhanced idmap_rid.
Now I know nothing, but I think that Microsoft expects 
msSFU30MaxUidNumber to be used with msSFU30NisDomain to give an unique 
name/number. I also personally think that idmap_rid should be put out to 
pasture and only idmap_ad used. This would then pull the info from the 
AD database, be this a windows server or a samba 4 one.

> If we ever get that working, we could combine that with writing the
> values so calculated into the uidNumber and gidNumber values, to assist
> other clients.
> Andrew Bartlett

More information about the samba-technical mailing list