[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)

steve steve at steve-ss.com
Mon Dec 1 12:32:58 MST 2014 

On 01/12/14 20:20, Rowland Penny wrote:
> On 01/12/14 19:16, steve wrote:
>> On 01/12/14 19:30, Rowland Penny wrote:
>>> On 01/12/14 18:23, steve wrote:
>>>> On 01/12/14 19:11, Rowland Penny wrote:
>>>>> On 01/12/14 17:46, steve wrote:
>>>>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>>>>> On 01/12/14 17:16, steve wrote:
>>>>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>>>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> I do what windows does, it ignores the RID (what you call 'the
>>>>>>>>>>>>> last
>>>>>>>>>>>>> set
>>>>>>>>>>>> of digits from SID') and uses a builtin mechanism to store the
>>>>>>>>>>>> next
>>>>>>>>>>>> uid &
>>>>>>>>>>>> gidNumber.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>
>>>>>>
>>>>>> Take this dangerously incorrect fact:
>>>>>>>>>>> The builtin users/groups use the RID for the GID/UID.
>>>>>> No.
>>>>>>
>>>>>>
>>>>>>>>>>
>>>>>>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
>>>>>>>>>> 300000?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>>>>>
>>>>>>>>> Rowland
>>>>>>>>>
>>>>>>>> English please. Notice the question mark after the last '0';)
>>>>>>>
>>>>>>> I thought I was speaking (well typing) English :-D
>>>>>>>
>>>>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all
>>>>>>> this
>>>>>>> in idmap.ldb.
>>>>>>>
>>>>>>> Does that answer all questions ??????
>>>>>>>
>>>>>>> Rowland
>>>>>>
>>>>>>
>>>>>
>>>>> In the context of the OP's statement, he was sort of correct, the
>>>>> builtin user/group RID's are used to get to the ID numbers.
>>>>>
>>>>> Take Administrators for example:
>>>>>
>>>>> RID 'S-1-5-32-544'
>>>>> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
>>>>> xidNumber '3000000'
>>>>>
>>>>> This xidnumber is used as the groups gidNumber
>>>>>
>>>>> The xidNumber is stored in idmap.ldb
>>>>>
>>>>> dn: CN=S-1-5-32-544
>>>>> cn: S-1-5-32-544
>>>>> objectClass: sidMap
>>>>> objectSid: S-1-5-32-544
>>>>> type: ID_TYPE_BOTH
>>>>> xidNumber: 3000000
>>>>> distinguishedName: CN=S-1-5-32-544
>>>>>
>>>>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>>>>
>>>>> getfacl: Removing leading '/' from absolute path names
>>>>> # file: var/lib/samba/sysvol/
>>>>> # owner: root
>>>>> # group: 3000000
>>>>> user::rwx
>>>>> user:root:rwx
>>>>> group::rwx
>>>>> group:3000000:rwx
>>>>> group:3000001:r-x
>>>>> group:3000002:rwx
>>>>> group:3000003:r-x
>>>>> mask::rwx
>>>>> other::---
>>>>> default:user::rwx
>>>>> default:user:root:rwx
>>>>> default:group::---
>>>>> default:group:3000000:rwx
>>>>> default:group:3000001:r-x
>>>>> default:group:3000002:rwx
>>>>> default:group:3000003:r-x
>>>>> default:mask::rwx
>>>>> default:other::---
>>>>>
>>>>> Now what part of the above is wrong ??
>>>>>
>>>> Hi
>>>> '...sort of correct' is misleading enough and is to be discouraged.
>>>> But unqualified statements which are incorrect should be banned.
>>>> 'The builtin users/groups use the RID for the GID/UID.', is incorrect.
>>>> Not only is it incorrect, but it is the opposite of what we would wish
>>>> to achieve, especially with the low uids and gids which would ensue.
>>>>
>>>> Many of us here have wasted enough of our time reading threads on
>>>> mailing lists which are incorrect.
>>>>
>>>> Thank you for the qualification.
>>>>
>>>>> Rowland
>>>>>
>>>>
>>> When you put it that way, then yes it was wrong, 'The builtin
>>> users/groups use the RID for their GID/UID.' would have been better,
>>> that is, if you can spot the difference :-D
>>>
>>> Rowland
>>>
>> Even worse. 'On a DC, the builtin users/groups use a GID/UID which is
>> unrelated to their RID' is less misleading. It is unfortunate that
>> they vary depending on where you are in a domain.
>
> Oh please, don't confuse Greg even more than he is now :-D
>
> Rowland
>
OK.Last try. 'UID/GID for builtin users/groups are not and cannot be 
specified in AD. They are stored in a separate database which is not 
replicated to other DCs'

There. How's that? That's got no RID in it at all.

Who's round is it anyway LOL!
And on that note...
Cheers,
Steve

More information about the samba mailing list