[Samba] Samba4 gid-to-sid question

Gémes Géza geza at kzsdabas.hu
Wed Feb 15 22:58:19 MST 2012

2012-02-16 02:01 keltezéssel, steve írta:
> Hi.
> We used info from a SID created using samba-tool group add to
> posix-ify it and then add a posix-ifed domain user to it. The AD doco
> defines two sorts of SID. Ones that change, and ones that don't.
> Here is a search on our posix-ified group:
> ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=3000012'
> objectSid: S-1-5-21-980186919-4150830324-975011627-1121
> We set the primaryGroupID of the user to 1121, his gidNumber to
> 3000012 and his uidNumber from wbinfo. He becomes visible to Linux via
> nss-ldapd, whilst retaing his Domain User status on the windows side:-)
> My question is, to which category of SID does
> S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume
> that this is fixed for the life of the domain? Under what circustances
> could s4 change it, and if id did, would we be given warning?
> Thanks,
> Steve

SIDs over S-1-5-21-.....-1000 are "ordinary" SIDs used by windows for
users and groups. The M$ docs describe modifying the SID as a very
dangerous, unsupported operation with unpredictable consequences, so yes
SIDs can be considered as something "carved in stone".



More information about the samba mailing list