[Samba] Samba SID/RID, UID/GID Best Practices?

[Jim Hogan]

I have a new Samba 3 domain backed by LDAP.  I am using Fedora-DS for 
LDAP component, so I have relied on a blend of tools to get up and 
running including Fedora-DS console and phpLDAPAdmin and (momentarily!) 
sambaldap-tools.   I am generally following the great IDEALX How-To but 
having to adapt it somewhat.

Standards for well-know Samba groups like "Domain Admins" were easy to 
find in the Samba Guide and elsewhere.  I have added Samba accounts for 
PDC and 15-20 additional user and groups, but saw that I might be 
introducing some inconsistencies.  Examples for adding well-know groups 
mapped 3-digit RIDs to 4-digit GIDs starting with 2xxx presumably to 
avoid conflicts, so I started to follow that for Users/Groups but then 
wondered "Why the heck am I doing that?" :)   Then a moment ago I 
noticed that I managed to add PDC machine account with SambaSID that is 
identical to Domain SID (ending in "-") where other examples definitely 
show DCs with RIDs.  Oops, I think.

So my email is to ask if there is a How-To or best-practice reference 
page (I found a few partial references on MSDN) that spells out 
ideal/accepted SID/RID methods/numbering and UID/GID mapping?    It 
seems that, other than well-know accounts, RIDs are arbitrary by design.

Part of my small problem is that I thought auto-increment/complete 
functions were working at a few times when they were not.   Also, I was 
thinking that, because I have a replicated LDAP instance on both PDC and 
BDC, I should have no need of the "idmap" feature and wasn't consciously 
thinking UID-GID ranges.  That, along with truncating RIDs, is now 
seeming short-sighted.   So I think I have a few small corrections to 
make, but figured I would step back and query the list before I add 400 
user records!

Thanks,

Jim