[Samba] Samba4 primaryGroupID attribute

Matthieu Patou mat at samba.org
Mon Apr 23 18:51:26 MDT 2012

On 04/23/2012 03:35 PM, steve wrote:
> Hi
> Coming from Linux, I'm struggling my way through this stuff.
> e.g. on my domain, the group suseusers has a SID of:
> S-1-5-21-1463437245-1224812800-863842198-1128
> Could anyone give me a yes/no/probably/absolutely-ridiculous on any of 
> these?
> -User steve has a primaryGroupID: 1128
no you can't see it from the group, you could conclude it if :
* steve is member of this group
* steve has only 1 group membership
 >-steve is a member of suseusers
> -suseusers was the 128'th SID to be allocated
no if you have more than 1 one DC, each DC have a RID pool, one DC can 
allocate 2 or 3 RID while the other one can be using already its fourth 
or fifth pool.

> -given only the SID above, you could not identify it as a group
> -it could equally well have been a user
> -or a computer
> -1128 is called a RID
yes, well it's 1128
> -if I change 1128 to that of another group, steve changes primary 
> group to that of the other group
you can't change the SID of an object.
> -I only need change the 1128. LDAP does the rest
no, you can't change the SID of a group. What you can do is change the 
primary group of the user, you have to specify it. And I think Samba and 
Windows require that the user is already member of this group before 
setting it as default group, in this case LDAP takes on the job of 
updating both memberOf and primaryGroupId for you.
> -If I change it to that of a user, LDAP will reject the idea
yes, it should if not it's a bug.
> -users begin life with primaryGroupID 513
By default yes, you can still create a user with a primaryGroupID of 
anything else I think.
> I think it's nearly there your patiece.so tia for
> Cheers,
> Steve

Matthieu Patou
Samba Team

More information about the samba mailing list