[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 1 09:54:57 MST 2014

On 01/12/14 16:31, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>     I do what windows does, it ignores the RID (what you call 'the
>     last set of digits from SID') and uses a builtin mechanism to
>     store the next uid & gidNumber.
> The builtin users/groups use the RID for the GID/UID.

Well, yes and no, on the samba4 AD DC they get mapped in idmap.ldb

>     If you create a user and then goto to the UNIX_Attributes tab in
>     ADUC, firstly you will find a 'uidNumber' is assigned to your user
>     (if it is the first user, this will be 10000) and when you add the
>     attributes, you will then find in the users object in AD that the
>     following attributes will have been added:
>     uid
>     msSFU30Name
>     msSFU30NisDomain
>     uidNumber
>     gidNumber
>     loginShell
>     unixHomeDirectory
> Do you have to go back and add these values to the buildin 
> groups/users like "Domain Admins"?
>     unixUserPassword: ABCD!efgh12345$67890  <-- the password is always
>     this, unless password sync is installed and it doesn't (yet) exist
>     on S4
> You are saying this exact string is the same no matter what?   What's 
> it used for then?

With a windows AD DC you can install software that will sync the windows 
users password with the unixUserPassword attribute, this can then be 
used by Unix programs, I personally don't know anybody that uses it, but 
it is there.

>     Unfortunately, these attributes do not exist as standard, so you
>     would either have to add a user with ADUC or manually add them
>     yourselves with ldbedit. As standard on windows, they both start
>     at '10000', though you can set them to whatever you require, just
>     make sure that they do not interfere with any local Unix users.
> Quite alot of this stuff isn't standard, nor documented.  It is 
> incredibly frustrating to deploy Samba 4 in a mixed windows/*nix envir.
Perhaps it would have been better if I had said 'these attributes do not 
exist as standard on a samba4 AD DC', they are standard on a windows AD 
DC with 'server for NIS' installed. Samba just decided not to use them.

I did hope that that 4.2 would make using S4 AD DC with Unix users 
easier, but this will not happen until winbindd pulls all the RFC2307 


> Greg

More information about the samba mailing list