[Samba] Samba4 gid-to-sid question

Gémes Géza geza at kzsdabas.hu
Wed Feb 15 22:58:19 MST 2012


2012-02-16 02:01 keltezéssel, steve írta:
> Hi.
> We used info from a SID created using samba-tool group add to
> posix-ify it and then add a posix-ifed domain user to it. The AD doco
> defines two sorts of SID. Ones that change, and ones that don't.
>
> Here is a search on our posix-ified group:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=3000012'
> objectSid: S-1-5-21-980186919-4150830324-975011627-1121
>
> We set the primaryGroupID of the user to 1121, his gidNumber to
> 3000012 and his uidNumber from wbinfo. He becomes visible to Linux via
> nss-ldapd, whilst retaing his Domain User status on the windows side:-)
>
> My question is, to which category of SID does
> S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume
> that this is fixed for the life of the domain? Under what circustances
> could s4 change it, and if id did, would we be given warning?
>
> Thanks,
> Steve
>
>
>
Hi

SIDs over S-1-5-21-.....-1000 are "ordinary" SIDs used by windows for
users and groups. The M$ docs describe modifying the SID as a very
dangerous, unsupported operation with unpredictable consequences, so yes
SIDs can be considered as something "carved in stone".

Regards

Geza


More information about the samba mailing list