rfc2307

[steve]

On Sat, 2014-02-15 at 14:30 +0100, David Schmitt wrote:
> On 2014-02-14 16:52, steve wrote:
> > On Fri, 2014-02-14 at 23:33 +0800, Chan Min Wai wrote:
> >> Dear Rowland,
> >>
> >> Just to check.
> >> Can winbind just use the Sid (maybe the truncated Sid) from windows 
> >> as the uid and Gid?
> >>
> >> Isn't that a much simpler approach?
> >
> > The OP has specific uid:gid he wants to use, so no. The truncated sid
> > method you mention is called rid. It's the bit right after the domain
> > sid.
> 
> Actually that was only what I was using to poke around at the system. 
> Not having to do anything and still get consistent results AD-wide would 
> be even better ;-)
> 
> I was (locally) running out of time when I wrote the first message so 
> re-reading it I see that it was not totally coherent, but the hint to 
> samba-tool user add was already very helpful in setting up a user with 
> proper attributes. Being able to get manually to a good state is still 
> better than having no (automatic;) way at all.
> 
> 
> Many thanks!
> 
> Regards, David
Hi
Basically if you have your rfc2307 attributes in the DN along with your
users and groups and ALWAYS extract the uid:gid pair from there, it will
ALWAYS be the same uid:gid no matter which DC is consulted or which file
server you use. Take the attribute out of the DN and calculate them by
some other method or remove them completely and rely on a second
database? Do not try this at home.
Just our €0.02
Steve