[Samba] Samba SID/RID, UID/GID Best Practices?
jimh at u.washington.edu
Sat Sep 16 22:10:39 GMT 2006
I have a new Samba 3 domain backed by LDAP. I am using Fedora-DS for
LDAP component, so I have relied on a blend of tools to get up and
running including Fedora-DS console and phpLDAPAdmin and (momentarily!)
sambaldap-tools. I am generally following the great IDEALX How-To but
having to adapt it somewhat.
Standards for well-know Samba groups like "Domain Admins" were easy to
find in the Samba Guide and elsewhere. I have added Samba accounts for
PDC and 15-20 additional user and groups, but saw that I might be
introducing some inconsistencies. Examples for adding well-know groups
mapped 3-digit RIDs to 4-digit GIDs starting with 2xxx presumably to
avoid conflicts, so I started to follow that for Users/Groups but then
wondered "Why the heck am I doing that?" :) Then a moment ago I
noticed that I managed to add PDC machine account with SambaSID that is
identical to Domain SID (ending in "-") where other examples definitely
show DCs with RIDs. Oops, I think.
So my email is to ask if there is a How-To or best-practice reference
page (I found a few partial references on MSDN) that spells out
ideal/accepted SID/RID methods/numbering and UID/GID mapping? It
seems that, other than well-know accounts, RIDs are arbitrary by design.
Part of my small problem is that I thought auto-increment/complete
functions were working at a few times when they were not. Also, I was
thinking that, because I have a replicated LDAP instance on both PDC and
BDC, I should have no need of the "idmap" feature and wasn't consciously
thinking UID-GID ranges. That, along with truncating RIDs, is now
seeming short-sighted. So I think I have a few small corrections to
make, but figured I would step back and query the list before I add 400
More information about the samba