Antwort: Re: [Samba] Primary Group ID (Well-Known RIDs)

[Michael Billerbeck]

Hello Jerry,

thanks for your response.

"Gerald (Jerry) Carter" <jerry at samba.org> schrieb am 11.02.2006 18:48:32:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Michael Billerbeck wrote:
> > Hello all,
> >
> > I have following situation:  There are users that don't have
> > the well-known RID 513, so groupmapping like
> > Domain Users (S-1-5-21-<domain SID part>-513) -> users doesn't
> > have any effect.  There are users that have the primary
> > group RID 545, 2001 and 1201.
> >
> > That's somehow messy. Is there any chance to get the Domain
> > Users into the well-known primary group rid 513? Does it then also
> > make sense to give machines the well known group rid 515?
> > Or is it better to change mapping by giving the rid explicitly?
>
> The primary group SID must be in the same domain as the user's SID.
> So you cannot specify a group from the BUILTIN domain to be
> the primary group.  There's a lot of work going on in this
> area right now for the 3.0.22 release.

The SIDs only differ from the RID part. So the domain part of the SID
is always the same and they are in the domain.
So what I was focussing on was the primary rid.

> If I understand you question correctly, you want to force all
> user's primary group SID to be S-1-5-....-513 regardless of the
> primary Unix group?

No, I wouldn't say regardless of the primary Unix group.
I would say regarding to what makes sense, which might be the
correspondent. For example the correspondent of the Unix group
'users' might have the SID with the well-known RID 513
(just a suggestion).
I remarked that there are already default values initially set,
which I didn't knew firstly.
There are at least these initially existing domain groups by default:

Domain Users
Domain Guests
Domain Admins

These groups are already associated to the SID with their appropriate
well known RID. There is a Unix group

ntadmin

which I also didn't knew of firstly.
(Well they are mentioned in the How-to and the Samba 3 by example
but I had the impression that these groups name were just example
group names. I wasn't thinking of that they already exist)

But this all is a good idea (these default groups or predefined groups,
the existing default group mapping and their associated well know sids)
and makes things easier. You at least don't have to create these groups
explicitly.
Before I wasn't aware of these settings/values I had the wish to create
groups in my language.

Now I was wondering why the RIDs are so 'messy'. Maybe one source of
failure was the use of webmin where the value on the synchronization
configuration website (sync Unix groups to Samba groups) for the
primary group SID or RID wasn't set (it was set to 'default'). And
here I don't know which SID or RID is been taken if the vaulue is
set to 'default'. Now I set it to 513 explicitly.

> It's pretty easy to mod the code to do this.
> But I seriously doubt it would be a change that will go into the
> samba source tree.

I would say that setting things to correspondents, well known or
as convention is a good idea if people can change these settings
later in case they would like to use group names in their language
or in case they just have another reasons.