[Samba] Samba4 gid-to-sid question
steve at steve-ss.com
Thu Feb 16 03:39:35 MST 2012
On 02/16/2012 06:58 AM, Gémes Géza wrote:
> 2012-02-16 02:01 keltezéssel, steve írta:
>> We used info from a SID created using samba-tool group add to
>> posix-ify it and then add a posix-ifed domain user to it. The AD doco
>> defines two sorts of SID. Ones that change, and ones that don't.
>> Here is a search on our posix-ified group:
>> ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=3000012'
>> objectSid: S-1-5-21-980186919-4150830324-975011627-1121
>> We set the primaryGroupID of the user to 1121, his gidNumber to
>> 3000012 and his uidNumber from wbinfo. He becomes visible to Linux via
>> nss-ldapd, whilst retaing his Domain User status on the windows side:-)
>> My question is, to which category of SID does
>> S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume
>> that this is fixed for the life of the domain? Under what circustances
>> could s4 change it, and if id did, would we be given warning?
> SIDs over S-1-5-21-.....-1000 are "ordinary" SIDs used by windows for
> users and groups. The M$ docs describe modifying the SID as a very
> dangerous, unsupported operation with unpredictable consequences, so yes
> SIDs can be considered as something "carved in stone".
Thanks for the confirmation. Will s4 follow the carved in stone m$
So far, the schema has allowed my addition of POSIX objects and
attributes to the ldb's. Indeed, some of them such as posixAccount are
already there, just waiting to be pulled in. Will there be any changes
made which will negate this? e.g. I have a user with primaryGroupID:
1121, uidnumber: 3000000, unixhomedirectory: /home/workgroup/user. Will
the user always have those attributes? Now? After the next git? After a
Maybe the question should be, will there be any changes made to the
schema which would disallow rfc2307 attributes to be included?
It's almost Friday.
More information about the samba