[Samba] Samba 4 two DCs no matching UID/GID

Tim rintimtim at gmx.net
Thu Dec 11 12:38:53 MST 2014

I understood what have explained. All is fine so far.
For my environment I need these ids to be stored to the directory (except for built-in groups) due to file services and today I found a way to write the ids to the directory. I only have Windows client so that other rfc2307 information's like shell etc will not really matter.
But ids are important for setting right acls in the filesystem.

Advantage of my solution will be that no Unix attributes have to be set in ADUC.

If you are interested I will post it when I'm finished.

Am 11. Dezember 2014 14:35:15 MEZ, schrieb Rowland Penny <rowlandpenny at googlemail.com>:
>On 11/12/14 13:21, rintimtim at gmx.net wrote:
>> I think for now, uid and gid would be enough, when these would be
>automatically set without the need of enabling nis domain in unix tab.
>Just because it is import to unix based fileservers. Every uid and gid
>would be replicated and available on every DC. ID-mapping would not be
>neccessary when using rfc2307.
>Using rfc2307 attributes **IS* *id-mapping, also you seem to be unable 
>to understand that uid and gidNumbers will not be set automatically 
>(well not in the short term) because not all setups need them Setups 
>that do need them, might not need them for all users & groups and as I 
>said, just what number do you start at ???. All of these problems and 
>more will need to be taken into account before automatic setting of 
>uid's & gid's can happen.
>> But that's where the power samba-tool ends: samba-tool doesn't have
>the ability to modify users and groups. And samba-tool can only assign
>uid to users but not gid to groups.
>There was a patch for this, if I remember correctly, by Marc
>> Is there a possibilty to change uid or gid via script using ldbedit?
>Oh definitely, just open the users AD record in ldbedit and add/edit 
>attributes as required, or you can use ldbmodify and an ldif. Just make
>sure that you know what you are doing, or you could end up with
>> Gesendet: Donnerstag, 11. Dezember 2014 um 13:20 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: rintimtim at gmx.net
>> Cc: samba at lists.samba.org
>> Betreff: Re: [Samba] Samba 4 two DCs no matching UID/GID
>> On 11/12/14 11:44, rintimtim at gmx.net wrote:
>>> Thanks for your advice regarding modifying the ldb. Before I do that
>I have to tell that uids and gids are automatically assigned in ADUC
>Unix tab.
>>> All have to do is to choose the NIS domain. After changing this
>field all other Unix attributes are automatially filled in. So this
>> Hmm, seems that I assumed too much, yes you have to select your
>> before the rest shows in the tab.
>>> I tried something different for testing:
>>> I added a user with samba-tool using a script and assigned a random
>(based on date) number for uid:
>>> Script add-ad-user:
>>> samba-tool user create $1 --uid-number=$(date +%H%M%S)
>>> Calling the script add-ad-user test1
>>> Something interesting happens: The random uid is assigned to that
>user in rfc2307. Both DC's have this same uid when I do "wbinfo -i
>test1". The unix tab of ADUC remains empty.
>> Yes, this is what is supposed to happen, the empty unix tab could be
>> of two things, either you need to select your domain in the tab, or
>> likely, you user doesn't have enough attributes, ADUC would have
>> *all* of these:
>> uid
>> msSFU30Name
>> msSFU30NisDomain
>> uidNumber
>> gidNumber
>> loginShell
>> unixHomeDirectory
>> unixUserPassword
>> The last one would be set to 'ABCD!efgh12345$67890'
>>> I added "add user script = /path/to/script/add-ad-user %u" to
>smb.conf in global section but unfortunatly it doesn't work. I guess
>due to the servers role of AD Controller.
>> No, I don't think that will work with AD.
>>> If a domain is provisioned with rfc2307 it seems to me just a small
>step of setting uid in rfc2307 when a user or group is created by ADUC.
>Something for Samba Devs?
>> It just needs the creation of the 'msSFU30MaxUidNumber' &
>> 'msSFU30MaxGidNumber' attributes, but just what number do you start
>> ? Windows uses '10000', but what if samba has been upgraded from an
>> NT4 PDC via classicupgrade, the highest ID number could be higher (or
>> lower) than 10000. No, I think that what we have at the moment is
>> probably right, let the sysadmin choose how to keep a record of the
>> id number used.
>> Rowland
>>> Thanks
>>> Tim
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list