[Samba] Samba4 xidNumber and idmap.ldb

steve steve at steve-ss.com
Sun Feb 26 10:15:43 MST 2012 

On 26/02/12 17:03, Gémes Géza wrote:
> 2012-02-26 10:28 keltezéssel, steve írta:
>> Hi everyone
>>
>> The s4 Domain Users group has xidNumber: 100 and the Linux users group
>> has gidNumber=100. I've been mapping xidNumber<-->  gidNumber for s4
>> posix groups I've added myself, but this causes a name collision for
>> Domain Users. This also has implications on Linux as local users have
>> access to the group owned stuff of Domain users.
>>
>> I've changed the xidNumber in idmap.ldb to 2000 and posix-ified my
>> Domain Users correspondingly. Everything still works, well, it works
>> for one test user at least.
>>
>> 1. Does xidNumber: 100 have any special meaning to windows?
>> 2. To help readability, would it be possible to add a label to common
>> entries in idmap to help us identify them?
>>
>> Cheers,
>> Steve
>>
> 1. idmap.ldb is private to the Samba4 box so windows sees nothing from xids
> 2. xids are there as (I hope) a temporary solution for storing uids,
> gids in a unified manner, if those attributes would be visible windows
> would still ignore them
>
> Regards
>
> Geza

That is good news. I thought I may have been committing a crime by 
altering stuff there.

I've tried to work around the sid-gid-uid stuff using xid's from 
idmap.ldb and storing uid and gid along with posix attrs and classes for 
individual users in sam.ldb.

I looked in the m$ schema and found this:

cn: PosixAccount
ldapDisplayName: posixAccount
mayContain: uid, cn, uidNumber, gidNumber, 
unixHomeDirectory,homeDirectory, userPassword, unixUserPassword, 
loginShell, gecos,description

cn: PosixGroup
ldapDisplayName: posixGroup
mayContain: cn, userPassword, unixUserPassword, description,gidNumber, 
memberUid

I've got some crude scripts together (based on your echo to file idea) here:
http://linuxcostablanca.blogspot.com/2012/02/samba-4-posix-domain-user.html
which include most of that stuff. It's the 'mayContain' that confuses 
me. e.g. my subset of mayContain does not have gecos nor cn but still 
seems to map OK via nss.

Sorry. Just one more thing. Could you point me at the code which finds 
the next free xid when e.g. you create a new user?

TIA for your time.
Steve.

More information about the samba mailing list