[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
steve
steve at steve-ss.com
Mon Dec 1 11:23:29 MST 2014
On 01/12/14 19:11, Rowland Penny wrote:
> On 01/12/14 17:46, steve wrote:
>> On 01/12/14 18:25, Rowland Penny wrote:
>>> On 01/12/14 17:16, steve wrote:
>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>> On 01/12/14 17:09, steve wrote:
>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>> I do what windows does, it ignores the RID (what you call 'the
>>>>>>>>> last
>>>>>>>>> set
>>>>>>>> of digits from SID') and uses a builtin mechanism to store the next
>>>>>>>> uid &
>>>>>>>> gidNumber.
>>>>>>>
>>>>>>>
>>
>>
>> Take this dangerously incorrect fact:
>>>>>>> The builtin users/groups use the RID for the GID/UID.
>> No.
>>
>>
>>>>>>
>>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
>>>>>> 300000?
>>>>>>
>>>>>>
>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>
>>>>> Rowland
>>>>>
>>>> English please. Notice the question mark after the last '0';)
>>>
>>> I thought I was speaking (well typing) English :-D
>>>
>>> Lets put it this way, samba4 gets the RID for Administrators
>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
>>> in idmap.ldb.
>>>
>>> Does that answer all questions ??????
>>>
>>> Rowland
>>
>>
>
> In the context of the OP's statement, he was sort of correct, the
> builtin user/group RID's are used to get to the ID numbers.
>
> Take Administrators for example:
>
> RID 'S-1-5-32-544'
> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
> xidNumber '3000000'
>
> This xidnumber is used as the groups gidNumber
>
> The xidNumber is stored in idmap.ldb
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> Now what part of the above is wrong ??
>
Hi
'...sort of correct' is misleading enough and is to be discouraged. But
unqualified statements which are incorrect should be banned.
'The builtin users/groups use the RID for the GID/UID.', is incorrect.
Not only is it incorrect, but it is the opposite of what we would wish
to achieve, especially with the low uids and gids which would ensue.
Many of us here have wasted enough of our time reading threads on
mailing lists which are incorrect.
Thank you for the qualification.
> Rowland
>
More information about the samba
mailing list