[Samba] uidNumber. ( Was: What is --rfc2307-from-nss ??)

Rowland Penny rowlandpenny at googlemail.com
Mon Dec 1 12:40:58 MST 2014 

On 01/12/14 19:32, steve wrote:
> On 01/12/14 20:20, Rowland Penny wrote:
>> On 01/12/14 19:16, steve wrote:
>>> On 01/12/14 19:30, Rowland Penny wrote:
>>>> On 01/12/14 18:23, steve wrote:
>>>>> On 01/12/14 19:11, Rowland Penny wrote:
>>>>>> On 01/12/14 17:46, steve wrote:
>>>>>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>>>>>> On 01/12/14 17:16, steve wrote:
>>>>>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> I do what windows does, it ignores the RID (what you call 
>>>>>>>>>>>>>> 'the
>>>>>>>>>>>>>> last
>>>>>>>>>>>>>> set
>>>>>>>>>>>>> of digits from SID') and uses a builtin mechanism to store 
>>>>>>>>>>>>> the
>>>>>>>>>>>>> next
>>>>>>>>>>>>> uid &
>>>>>>>>>>>>> gidNumber.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Take this dangerously incorrect fact:
>>>>>>>>>>>> The builtin users/groups use the RID for the GID/UID.
>>>>>>> No.
>>>>>>>
>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
>>>>>>>>>>> 300000?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>>>>>>
>>>>>>>>>> Rowland
>>>>>>>>>>
>>>>>>>>> English please. Notice the question mark after the last '0';)
>>>>>>>>
>>>>>>>> I thought I was speaking (well typing) English :-D
>>>>>>>>
>>>>>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>>>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all
>>>>>>>> this
>>>>>>>> in idmap.ldb.
>>>>>>>>
>>>>>>>> Does that answer all questions ??????
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> In the context of the OP's statement, he was sort of correct, the
>>>>>> builtin user/group RID's are used to get to the ID numbers.
>>>>>>
>>>>>> Take Administrators for example:
>>>>>>
>>>>>> RID 'S-1-5-32-544'
>>>>>> Winbind gets this, it is meaningless on Unix, so it gets mapped 
>>>>>> to an
>>>>>> xidNumber '3000000'
>>>>>>
>>>>>> This xidnumber is used as the groups gidNumber
>>>>>>
>>>>>> The xidNumber is stored in idmap.ldb
>>>>>>
>>>>>> dn: CN=S-1-5-32-544
>>>>>> cn: S-1-5-32-544
>>>>>> objectClass: sidMap
>>>>>> objectSid: S-1-5-32-544
>>>>>> type: ID_TYPE_BOTH
>>>>>> xidNumber: 3000000
>>>>>> distinguishedName: CN=S-1-5-32-544
>>>>>>
>>>>>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>>>>>
>>>>>> getfacl: Removing leading '/' from absolute path names
>>>>>> # file: var/lib/samba/sysvol/
>>>>>> # owner: root
>>>>>> # group: 3000000
>>>>>> user::rwx
>>>>>> user:root:rwx
>>>>>> group::rwx
>>>>>> group:3000000:rwx
>>>>>> group:3000001:r-x
>>>>>> group:3000002:rwx
>>>>>> group:3000003:r-x
>>>>>> mask::rwx
>>>>>> other::---
>>>>>> default:user::rwx
>>>>>> default:user:root:rwx
>>>>>> default:group::---
>>>>>> default:group:3000000:rwx
>>>>>> default:group:3000001:r-x
>>>>>> default:group:3000002:rwx
>>>>>> default:group:3000003:r-x
>>>>>> default:mask::rwx
>>>>>> default:other::---
>>>>>>
>>>>>> Now what part of the above is wrong ??
>>>>>>
>>>>> Hi
>>>>> '...sort of correct' is misleading enough and is to be discouraged.
>>>>> But unqualified statements which are incorrect should be banned.
>>>>> 'The builtin users/groups use the RID for the GID/UID.', is 
>>>>> incorrect.
>>>>> Not only is it incorrect, but it is the opposite of what we would 
>>>>> wish
>>>>> to achieve, especially with the low uids and gids which would ensue.
>>>>>
>>>>> Many of us here have wasted enough of our time reading threads on
>>>>> mailing lists which are incorrect.
>>>>>
>>>>> Thank you for the qualification.
>>>>>
>>>>>> Rowland
>>>>>>
>>>>>
>>>> When you put it that way, then yes it was wrong, 'The builtin
>>>> users/groups use the RID for their GID/UID.' would have been better,
>>>> that is, if you can spot the difference :-D
>>>>
>>>> Rowland
>>>>
>>> Even worse. 'On a DC, the builtin users/groups use a GID/UID which is
>>> unrelated to their RID' is less misleading. It is unfortunate that
>>> they vary depending on where you are in a domain.
>>
>> Oh please, don't confuse Greg even more than he is now :-D
>>
>> Rowland
>>
> OK.Last try. 'UID/GID for builtin users/groups are not and cannot be 
> specified in AD. They are stored in a separate database which is not 
> replicated to other DCs'
>
> There. How's that? That's got no RID in it at all.
>
> Who's round is it anyway LOL!
> And on that note...
> Cheers,
> Steve
>

Hmm, I wonder were I can put that on the wiki.

Rowland

More information about the samba mailing list