wellknown and uid/gid interactions on multi DC samba AD domain

Daniele Dario d.dario76 at gmail.com
Tue May 13 09:14:32 MDT 2014


Hi Steve,

On mar, 2014-05-13 at 16:48 +0200, steve wrote:
> On Tue, 2014-05-13 at 16:21 +0200, Daniele Dario wrote:
> 
> > Now I'd try again so can somebody address me on the right way to proceed
> > or suggest alternative ways to backup data?
> > 
> > Which would be the objects to "posixify"?
> Add uidNumber and gidNumber to all your users. Add gidNumber to Domain
> Users and any other domain groups that your users are members of. There
> is no need to add posixAccount or posixGroup classes unless you need
> them.
> 
> > Only users/groups I created on the domain?
> No.
> 
> > Also machine accounts have to be posixified?
> No.
> 
> > Is there a way to be sure to avoid overlappings?
> Yes. Do:
> getent passwd 
> look at the highest uid you get. Here, I'm 1000:
> steve:x:1000:100::/home/steve:/bin/bash
> 
> The AD uids start at 10000 for 2307 schema setups where you provisioned with --use-rfc2307. Samba4 map from 3000000 upwards. We use the latter range for our user uidNumbers.
> For groups, choose a gidNumber which helps with recognition. We use 20513 for Domain Users for example.
> 
> If you add local users to any DC, make sure that you allocate a uid below either 10000 or 3000000.
> Good luck this time around
> Steve
> 
> 

thanks for the tips.
Can you please clarify what does "add uidNumber and gidNumber" ...?
How do I do that? Is there a specific command (samba-tool or something
like that) or do I use ldbmodify? Where can I find some example?

Than can you make an example for uids having this from getent passwd

myadmin:x:1000:1000:myadmin,,,:/home/myadmin:/bin/bash
...
SAITEL\Administrator:*:0:100::/home/SAITEL/Administrator:/bin/bash
SAITEL\Guest:*:3000002:3000003::/home/SAITEL/Guest:/bin/bash
SAITEL\krbtgt:*:3000027:100::/home/SAITEL/krbtgt:/bin/bash
SAITEL\daniele:*:3000020:100:Daniele:/home/SAITEL/daniele:/bin/bash
SAITEL\samuele:*:3000028:100:Samuele:/home/SAITEL/samuele:/bin/bash
SAITEL\antonio:*:3000030:100:Antonio:/home/SAITEL/antonio:/bin/bash
SAITEL\marina:*:3000031:100:Marina:/home/SAITEL/marina:/bin/bash
SAITEL\martina:*:3000032:100:Martina:/home/SAITEL/martina:/bin/bash
SAITEL\marco:*:3000033:100:Marco:/home/SAITEL/marco:/bin/bash
SAITEL\michela:*:3000034:100:Michela:/home/SAITEL/michela:/bin/bash
SAITEL\paolo:*:3000035:100:Giampaolo:/home/SAITEL/paolo:/bin/bash
SAITEL\luca:*:3000036:100:Luca:/home/SAITEL/luca:/bin/bash
SAITEL\dino:*:3000039:100:Dino:/home/SAITEL/dino:/bin/bash
SAITEL\duilio:*:3000040:100:Duilio:/home/SAITEL/duilio:/bin/bash
SAITEL\lavaroni:*:3000059:100:Lavaroni:/home/SAITEL/lavaroni:/bin/bash

and getent groups

myadmin:x:1000:
...
SAITEL\Enterprise Read-Only Domain Controllers:*:3000042:
SAITEL\Domain Admins:*:3000011:
SAITEL\Domain Users:*:100:
SAITEL\Domain Guests:*:3000003:
SAITEL\Domain Computers:*:3000015:
SAITEL\Domain Controllers:*:3000043:
SAITEL\Schema Admins:*:3000007:
SAITEL\Enterprise Admins:*:3000010:
SAITEL\Group Policy Creator Owners:*:3000009:
SAITEL\Read-Only Domain Controllers:*:3000044:
SAITEL\DnsUpdateProxy:*:3000045:
SAITEL\Ufficio Tecnico:*:3000022:
SAITEL\Ufficio Acquisti:*:3000046:
SAITEL\Presidenza:*:3000047:
SAITEL\Officina:*:3000024:
SAITEL\Gestionale:*:3000048:
SAITEL\Amministrazione:*:3000049:
SAITEL\Magazzino:*:3000050:
SAITEL\Segreteria Produzione:*:3000051:
SAITEL\Segreteria Generale:*:3000052:
SAITEL\Ufficio Commerciale:*:3000053:
SAITEL\Ufficio Produzione:*:3000021:
SAITEL\remote_users:*:3000023:
SAITEL\Saitel Staff:*:3000056:
SAITEL\Collaudi:*:3000058:

Thanks for your kind help,
Daniele.



More information about the samba-technical mailing list