[Samba] Help with fixing users and groups with the same SID in LDAP

Andrew Bartlett abartlet at samba.org
Wed Dec 4 00:16:46 MST 2013

On Mon, 2013-12-02 at 21:31 +0000, Tim wrote:
> Jonathan Buzzard <jonathan <at> buzzard.me.uk> writes:
> > There is absolutely nothing wrong with a uidNumber and gidNumber being 
> > the same numerical value as they are two entirely different sets of 
> > numbers. What is not possible in the Windows world is to have a username 
> > and a group with the same text name. What looks to be at issue is that 
> > you have been generating SID's based on the uidNumber or gidNumber which 
> > has never been a sensible idea.
> > 
> Hmm... I believe the SIDs in question were automatically generated ages ago 
> by smbldap tools. No one has manually intervened when adding users or groups 
> to my knowledge. 
> I was planning to follow the apparent convention of the existing SIDs when 
> updating the dupes... IIRC it was how SIDs were computed back in the NT days 
> or something :-) Is there a better algorithm to use or does it really not 
> matter what I change the last section to as long as the SID is unique within 
> the domain?

Provided you do it before the migration, choose any (unique) value.  We
then use the values above this number for new automatic allocations once
we are an AD DC. 

> > 
> > There should be no reason to change the gidNumber, just change the SID. 
> > I would have the directory servers offline to the users while the 
> > changes where made and restart any domain joined machines after 
> > restarting the samba3+ldap combination.
> Ok, thanks - that makes sense.
> I appreciate your help!
> Cheers,
> Tim

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list