[Samba] "Well-known Windows RIDs" vs. UIDs/GIDs

John H Terpstra jht at samba.org
Tue Nov 22 03:15:24 GMT 2005

On Monday 21 November 2005 19:32, David B Harris wrote:
> Hey all,
> I'm looking to merge multiple NT4 domains into a single infrastructure
> based on Samba3 and OpenLDAP on Linux of the Debian Sarge flavour (and,
> Bob willing, Samba4 before long).

Bob is willing, but what does he have to do with Samba4?

> In order to allow some resources to be shared from a single Linux
> instance, I'm rather hoping that I can put every domain's information
> into a single LDAP DIT. The Samba PDCs will use only portions of the
> DIT, in order to give the appearance (to users) of multiple domains.
> It'll also hopefully allow some degree of privilege delegation.

OK - that should work so long as you do not expect domain user accounts to 
function within mulitple domains. You will be able to use interdomain trusts 
to affect cross-domain user access capabilities.

> *nix boxes would use the entire tree to resolve every UID/GID (though
> logins would only be allowed based on some attribute values).
> Everything would be fine, except I'm a bit worried about the Well-known
> Windows RIDs (512, 513, 514, 550, 551, 552). Obviously the RID must be
> those particular numbers, but do the gidNumbers need to match? (Is this
> required even generally, that gid/uidNumbers match the RID?)

The well known RIDs are important, but the UID/GID can be any valid value.

> Note that winbind isn't involved. I haven't found anything in the
> documentation, which while I've read through entirely, I haven't read
> from front-to-back, so my memory may be failing me. Documentation
> pointers very welcome.

- John T.

More information about the samba mailing list