wellknown and uid/gid interactions on multi DC samba AD domain

steve steve at steve-ss.com
Tue May 13 08:48:59 MDT 2014

On Tue, 2014-05-13 at 16:21 +0200, Daniele Dario wrote:

> Now I'd try again so can somebody address me on the right way to proceed
> or suggest alternative ways to backup data?
> Which would be the objects to "posixify"?
Add uidNumber and gidNumber to all your users. Add gidNumber to Domain
Users and any other domain groups that your users are members of. There
is no need to add posixAccount or posixGroup classes unless you need

> Only users/groups I created on the domain?

> Also machine accounts have to be posixified?

> Is there a way to be sure to avoid overlappings?
Yes. Do:
getent passwd 
look at the highest uid you get. Here, I'm 1000:

The AD uids start at 10000 for 2307 schema setups where you provisioned with --use-rfc2307. Samba4 map from 3000000 upwards. We use the latter range for our user uidNumbers.
For groups, choose a gidNumber which helps with recognition. We use 20513 for Domain Users for example.

If you add local users to any DC, make sure that you allocate a uid below either 10000 or 3000000.
Good luck this time around

More information about the samba-technical mailing list