[Samba] Samba 4 problems

Rowland Penny rowlandpenny at googlemail.com
Fri Dec 19 02:39:24 MST 2014

On 19/12/14 09:06, Brett Wynkoop wrote:
> On Fri, 19 Dec 2014 09:17:25 +0100
> Tim <rintimtim at gmx.net> wrote:
>> I think Rowland meant to use rfc2307 attributes in your domain.
>> Therefore it is needed to provision your domain with --use-rfc2307
>> parameter. When you have done this the schema doesn't need to be
>> extended.
> Hmmm well used rfc2307 on one of my previous attempts, but still saw no
> way to set the UID to what I wanted them to be.  They were something
> like 5 or 6 digit numbers.
> So is there a way to force a particular UID, meaning can I create
> account smith with UID 553 in a Samba DC?
> My plan is after I figure this out to script the process and
> feed /etc/passwd into the AD.
> At the moment I do not have an MS-Windows box here yet, so I can not
> check what is shown in an MS-Windows control pannel.
> This task is in preparation for the arrival of a small flock of
> ms-windows boxes that are coming in for a special project, but they
> need to be integrated with the existing network of FreeBSD, Solaris,
> GNU/Linux and Mac OSX boxes, all of which are suing NIS and NFS.  Since
> they can all authenticate against LDAP and Kerberos (AKA AD) my plan is
> to just move over to AD on a samba box, but if a user is on a
> Windows box I need him to have the same UID on created files as if he
> was on a Unix box.
> Did I miss something with smbpasswd or pdbedit where I can set specific
> UID just like I can by editing /etc/passwd?
> Here is something interesting.....
> root at prd2:/home/wynkoop # pdbedit -L | grep wynkoop
> wynkoop:34:
> root at prd2:/home/wynkoop #
> root at prd2:/home/wynkoop # id wynkoop
> uid=34(wynkoop) gid=34(wynkoop) groups=34(wynkoop),0(wheel),80(www)
> root at prd2:/home/wynkoop #
> root at prd2:/home/wynkoop # pdbedit -Lv wynkoop
> (config output snipped)
> ldb_wrap open of idmap.ldb
> Home server: prd2
> Home server: prd2
> Unix username:        wynkoop
> NT username:
> Account Flags:        [U          ]
> User SID:             S-1-5-21-3503051414-2097048719-4239445089-1105
> Primary Group SID:    S-1-5-21-3503051414-2097048719-4239445089-513
> Full Name:
> Home Directory:
> HomeDir Drive:        (null)
> Logon Script:
> Profile Path:
> Domain:
> Account desc:
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          0
> Kickoff time:         never
> Password last set:    Mon, 15 Dec 2014 15:17:39 EST
> Password can change:  Mon, 15 Dec 2014 15:17:39 EST
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Nowhere in the verbose output do I see 34, and then we have this:
> root at prd2:/archive/test # ls -l
> total 1
> -rw-r--r--  1 3000014  wheel  236 Dec 19 03:50 hosts
> root at prd2:/archive/test #
> Hosts was transferred into that directory using smbclient from another
> box and as you can see the owner is a user that does not exist on the
> system.  How the heck did it come up with a UID of  3000014?
> So I think I am getting more confused as things go along.  I have a
> mind to deinstall everything, remove all the database files and try
> again from scratch, but that still leaves the burning question how do I
> do something like this:
> root at prd2:/archive/test # adduser
> Username: bew
> Full name: B^C
> root at prd2:/archive/test # adduser
> Username: example
> Full name: Ex Ample
> Uid (Leave empty for default): 554
> Login group [example]:
> Login group is example. Invite example into other groups? []:
> with Samba.  I suppose I could drop back to samba 2 or 3, or run in
> legacy mode, but that is not what I would consider optimal.
> Thanks!
> -Brett

OK, when you create a windows user, they get a SID-RID, the SID 
identifies the domain and the RID is the users unique ID number, the 
same goes for groups.

An example of a SID-RID would be: 
The SID being: S-1-5-21-3623811015-3361044348-30300820
and the RID: 1013

 From the example, you can see that this is no good for Unix, so you 
need to map these numbers to something that Unix understands, or use 
something else. This is where the RFC2307 attributes come in, amongst 
which are 'uidNumber' & 'gidNumber', this is where you can set the 
user's or group's Unix ID. You can set these numbers to whatever you 
need, but having said that, I am struggling to understand why you need 
to map/use numbers like '50'. These low numbers on Unix are usually used 
for programs that run on Unix (apache, bind, etc) that do not really 
need to be in AD.

If you feel that you want to take this discussion off-list, then contact 
me direct.


More information about the samba mailing list