[Samba] Samba 4 two DCs no matching UID/GID

Rowland Penny rowlandpenny at googlemail.com
Thu Dec 11 06:35:15 MST 2014

On 11/12/14 13:21, rintimtim at gmx.net wrote:
> I think for now, uid and gid would be enough, when these would be automatically set without the need of enabling nis domain in unix tab. Just because it is import to unix based fileservers. Every uid and gid would be replicated and available on every DC. ID-mapping would not be neccessary when using rfc2307.

Using rfc2307 attributes **IS* *id-mapping, also you seem to be unable 
to understand that uid and gidNumbers will not be set automatically 
(well not in the short term) because not all setups need them Setups 
that do need them, might not need them for all users & groups and as I 
said, just what number do you start at ???. All of these problems and 
more will need to be taken into account before automatic setting of 
uid's & gid's can happen.

> But that's where the power samba-tool ends: samba-tool doesn't have the ability to modify users and groups. And samba-tool can only assign uid to users but not gid to groups.

There was a patch for this, if I remember correctly, by Marc Muehlfield.

> Is there a possibilty to change uid or gid via script using ldbedit?

Oh definitely, just open the users AD record in ldbedit and add/edit 
attributes as required, or you can use ldbmodify and an ldif. Just make 
sure that you know what you are doing, or you could end up with problems.


> Gesendet: Donnerstag, 11. Dezember 2014 um 13:20 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: rintimtim at gmx.net
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] Samba 4 two DCs no matching UID/GID
> On 11/12/14 11:44, rintimtim at gmx.net wrote:
>> Thanks for your advice regarding modifying the ldb. Before I do that I have to tell that uids and gids are automatically assigned in ADUC Unix tab.
>> All have to do is to choose the NIS domain. After changing this field all other Unix attributes are automatially filled in. So this works.
> Hmm, seems that I assumed too much, yes you have to select your domain
> before the rest shows in the tab.
>> I tried something different for testing:
>> I added a user with samba-tool using a script and assigned a random (based on date) number for uid:
>> Script add-ad-user:
>> samba-tool user create $1 --uid-number=$(date +%H%M%S)
>> Calling the script add-ad-user test1
>> Something interesting happens: The random uid is assigned to that user in rfc2307. Both DC's have this same uid when I do "wbinfo -i test1". The unix tab of ADUC remains empty.
> Yes, this is what is supposed to happen, the empty unix tab could be one
> of two things, either you need to select your domain in the tab, or more
> likely, you user doesn't have enough attributes, ADUC would have added
> *all* of these:
> uid
> msSFU30Name
> msSFU30NisDomain
> uidNumber
> gidNumber
> loginShell
> unixHomeDirectory
> unixUserPassword
> The last one would be set to 'ABCD!efgh12345$67890'
>> I added "add user script = /path/to/script/add-ad-user %u" to smb.conf in global section but unfortunatly it doesn't work. I guess due to the servers role of AD Controller.
> No, I don't think that will work with AD.
>> If a domain is provisioned with rfc2307 it seems to me just a small step of setting uid in rfc2307 when a user or group is created by ADUC. Something for Samba Devs?
> It just needs the creation of the 'msSFU30MaxUidNumber' &
> 'msSFU30MaxGidNumber' attributes, but just what number do you start from
> ? Windows uses '10000', but what if samba has been upgraded from an S3
> NT4 PDC via classicupgrade, the highest ID number could be higher (or
> lower) than 10000. No, I think that what we have at the moment is
> probably right, let the sysadmin choose how to keep a record of the last
> id number used.
> Rowland
>> Thanks
>> Tim
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list