On 15/02/14 13:49, steve wrote:
> On Sat, 2014-02-15 at 14:30 +0100, David Schmitt wrote:
>> On 2014-02-14 16:52, steve wrote:
>>> On Fri, 2014-02-14 at 23:33 +0800, Chan Min Wai wrote:
>>>> Dear Rowland,
>>>> Just to check.
>>>> Can winbind just use the Sid (maybe the truncated Sid) from windows
>>>> as the uid and Gid?
>>>> Isn't that a much simpler approach?
>>> The OP has specific uid:gid he wants to use, so no. The truncated sid
>>> method you mention is called rid. It's the bit right after the domain
>>> sid.
>> Actually that was only what I was using to poke around at the system.
>> Not having to do anything and still get consistent results AD-wide would
>> be even better ;-)
>> I was (locally) running out of time when I wrote the first message so
>> re-reading it I see that it was not totally coherent, but the hint to
>> samba-tool user add was already very helpful in setting up a user with
>> proper attributes. Being able to get manually to a good state is still
>> better than having no (automatic;) way at all.
>> Many thanks!
>> Regards, David
> Hi
> Basically if you have your rfc2307 attributes in the DN along with your
> users and groups and ALWAYS extract the uid:gid pair from there, it will
> ALWAYS be the same uid:gid no matter which DC is consulted or which file
> server you use. Take the attribute out of the DN and calculate them by
> some other method or remove them completely and rely on a second
> database? Do not try this at home.
> Just our €0.02
> Steve
The problem here is that samba-tool doesn't work like ADUC, on ADUC 
(using the UNIX Attributes tab) you first select the NIS Domain and ADUC 
then gives you the next uidNumber available. If you use samba-tool, you 
have to supply the uidNumber and keep a record of the last uidNumber 
yourself. If I could program in python, I would adapt samba-tool to work 
like ADUC, i.e. change '--uid-number=UID_NUMBER' into a switch, 
something like '--add-uid-number', but I cannot program in python, so 
anybody else up for it???


