[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)
Rowland Penny
rowlandpenny at googlemail.com
Mon Dec 1 11:30:39 MST 2014
On 01/12/14 18:23, steve wrote:
> On 01/12/14 19:11, Rowland Penny wrote:
>> On 01/12/14 17:46, steve wrote:
>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>> On 01/12/14 17:16, steve wrote:
>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I do what windows does, it ignores the RID (what you call 'the
>>>>>>>>>> last
>>>>>>>>>> set
>>>>>>>>> of digits from SID') and uses a builtin mechanism to store the
>>>>>>>>> next
>>>>>>>>> uid &
>>>>>>>>> gidNumber.
>>>>>>>>
>>>>>>>>
>>>
>>>
>>> Take this dangerously incorrect fact:
>>>>>>>> The builtin users/groups use the RID for the GID/UID.
>>> No.
>>>
>>>
>>>>>>>
>>>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
>>>>>>> 300000?
>>>>>>>
>>>>>>>
>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> English please. Notice the question mark after the last '0';)
>>>>
>>>> I thought I was speaking (well typing) English :-D
>>>>
>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
>>>> in idmap.ldb.
>>>>
>>>> Does that answer all questions ??????
>>>>
>>>> Rowland
>>>
>>>
>>
>> In the context of the OP's statement, he was sort of correct, the
>> builtin user/group RID's are used to get to the ID numbers.
>>
>> Take Administrators for example:
>>
>> RID 'S-1-5-32-544'
>> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
>> xidNumber '3000000'
>>
>> This xidnumber is used as the groups gidNumber
>>
>> The xidNumber is stored in idmap.ldb
>>
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> Now what part of the above is wrong ??
>>
> Hi
> '...sort of correct' is misleading enough and is to be discouraged.
> But unqualified statements which are incorrect should be banned.
> 'The builtin users/groups use the RID for the GID/UID.', is incorrect.
> Not only is it incorrect, but it is the opposite of what we would wish
> to achieve, especially with the low uids and gids which would ensue.
>
> Many of us here have wasted enough of our time reading threads on
> mailing lists which are incorrect.
>
> Thank you for the qualification.
>
>> Rowland
>>
>
When you put it that way, then yes it was wrong, 'The builtin
users/groups use the RID for their GID/UID.' would have been better,
that is, if you can spot the difference :-D
Rowland
More information about the samba
mailing list