[Samba] posix gid mapping of built-in groups

steve steve at steve-ss.com
Tue Jun 24 07:50:36 MDT 2014

On Tue, 2014-06-24 at 14:57 +0200, Henrik Langos wrote:
> On 06/23/14 19:35, steve wrote
> >
> > We'd recommend sticking with the 3000000+ range for user uidNumbers for
> > your domain users as this keeps them well away from any local Unix users
> > you may have on the system.
> Well, If I
> A) stick to that range, and
> B) give uid numbers on the samba-tool command line,
> how do I avoid giving one of my new groups an ID that is already used by 
> Samba's own mapping mechanism?
Loadsa methods.
An easy way is to:
1. create the group with samba tool group add grp
2. wbinfo --name-to-sid=grp
S-1-5-21-451355595-2219208293-2714859210-1111 SID_DOM_GROUP (2)
3. Take the RID 
4. Add 20000 to it
5. allocate gidNumber 21111 to grp

For users, have a look here:
> E.g. I look at the output of "getent group" and I don't see 3000002. But 
> from getfacl on a policy file I know that it is in use.
> I know I can find the windows group / user if I know they are in use:
> root at DC2:~# wbinfo -G 3000002
> S-1-5-18
> root at DC2:~# wbinfo -s S-1-5-18
> root at DC2:~#
Do not worry about the sysvol groups. These values are not stored in AD
and are invisible to nss.
> But how do I keep track of the next free uid/gid if I provide those 
> manually to samba-tool ?
As per the above link.
> I guess I'd prefer
> A) to leave that management to Samba, or
> B) to manage those IDs myself in a range that doesn't interfere with 
> local users/groups or Windows users/groups.
Good idea. If you decide for an all Linux administration of your domain,
in the end, you'll end up writing your own scripts. The tools are good
but in the end you stop using them and use your own. Writing to the dbs
is sometimes the only way to go. ldbmodify and ldbedit are your friends.
Agsin, the link should get you thinking.

More information about the samba mailing list