[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
rowlandpenny at googlemail.com
Mon Dec 1 09:54:57 MST 2014
On 01/12/14 16:31, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
> I do what windows does, it ignores the RID (what you call 'the
> last set of digits from SID') and uses a builtin mechanism to
> store the next uid & gidNumber.
> The builtin users/groups use the RID for the GID/UID.
Well, yes and no, on the samba4 AD DC they get mapped in idmap.ldb
> If you create a user and then goto to the UNIX_Attributes tab in
> ADUC, firstly you will find a 'uidNumber' is assigned to your user
> (if it is the first user, this will be 10000) and when you add the
> attributes, you will then find in the users object in AD that the
> following attributes will have been added:
> Do you have to go back and add these values to the buildin
> groups/users like "Domain Admins"?
> unixUserPassword: ABCD!efgh12345$67890 <-- the password is always
> this, unless password sync is installed and it doesn't (yet) exist
> on S4
> You are saying this exact string is the same no matter what? What's
> it used for then?
With a windows AD DC you can install software that will sync the windows
users password with the unixUserPassword attribute, this can then be
used by Unix programs, I personally don't know anybody that uses it, but
it is there.
> Unfortunately, these attributes do not exist as standard, so you
> would either have to add a user with ADUC or manually add them
> yourselves with ldbedit. As standard on windows, they both start
> at '10000', though you can set them to whatever you require, just
> make sure that they do not interfere with any local Unix users.
> Quite alot of this stuff isn't standard, nor documented. It is
> incredibly frustrating to deploy Samba 4 in a mixed windows/*nix envir.
Perhaps it would have been better if I had said 'these attributes do not
exist as standard on a samba4 AD DC', they are standard on a windows AD
DC with 'server for NIS' installed. Samba just decided not to use them.
I did hope that that 4.2 would make using S4 AD DC with Unix users
easier, but this will not happen until winbindd pulls all the RFC2307
More information about the samba