[Samba] Samba4 gid-to-sid question

Gémes Géza geza at kzsdabas.hu
Thu Feb 16 13:14:09 MST 2012


2012-02-16 11:39 keltezéssel, steve írta:
> On 02/16/2012 06:58 AM, Gémes Géza wrote:
>> 2012-02-16 02:01 keltezéssel, steve írta:
>>> Hi.
>>> We used info from a SID created using samba-tool group add to
>>> posix-ify it and then add a posix-ifed domain user to it. The AD doco
>>> defines two sorts of SID. Ones that change, and ones that don't.
>>>
>>> Here is a search on our posix-ified group:
>>> ldbsearch --url=/usr/local/samba/private/idmap.ldb 'xidnumber=3000012'
>>> objectSid: S-1-5-21-980186919-4150830324-975011627-1121
>>>
>>> We set the primaryGroupID of the user to 1121, his gidNumber to
>>> 3000012 and his uidNumber from wbinfo. He becomes visible to Linux via
>>> nss-ldapd, whilst retaing his Domain User status on the windows side:-)
>>>
>>> My question is, to which category of SID does
>>> S-1-5-21-980186919-4150830324-975011627-1121 belong? Can we assume
>>> that this is fixed for the life of the domain? Under what circustances
>>> could s4 change it, and if id did, would we be given warning?
>>>
>>> Thanks,
>>> Steve
>>>
>>>
>>>
>> Hi
>>
>> SIDs over S-1-5-21-.....-1000 are "ordinary" SIDs used by windows for
>> users and groups. The M$ docs describe modifying the SID as a very
>> dangerous, unsupported operation with unpredictable consequences, so yes
>> SIDs can be considered as something "carved in stone".
>>
>> Regards
>>
>> Geza
> Hi Geza
> Thanks for the confirmation. Will s4 follow the carved in stone m$
> guidelines?
>
> So far, the schema has allowed my addition of POSIX objects and
> attributes to the ldb's. Indeed, some of them such as posixAccount are
> already there,  just waiting to be pulled in. Will there be any
> changes made which will negate this? e.g. I have a user with
> primaryGroupID: 1121, uidnumber: 3000000, unixhomedirectory:
> /home/workgroup/user. Will the user always have those attributes? Now?
> After the next git? After a s4 release?
>
> Maybe the question should be, will there be any changes made to the
> schema which would disallow rfc2307 attributes to be included?
>
> It's almost Friday.
>
> Cheers,
> Steve
>
Hi,

As I've understand the plan is to support rfc2307 attributes in the
samba4 winbind implementation so I would be very surprised+annoyed if
they would get unsupported on Samba4

Regards

Geza


More information about the samba mailing list