[Samba] Is there any problem that can arise from remapping gidNumber?
Rowland Penny
rowlandpenny at googlemail.com
Tue Jan 13 10:03:23 MST 2015
On 13/01/15 16:25, John Lewis wrote:
> On 01/13/2015 11:10 AM, John Lewis wrote:
>> On 01/13/2015 10:41 AM, Rowland Penny wrote:
>>> On 13/01/15 15:11, John Lewis wrote:
>>>> On 01/13/2015 09:23 AM, Rowland Penny wrote:
>>>>> On 13/01/15 14:06, John Lewis wrote:
>>>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote:
>>>>>>> On 13/01/15 11:33, John Lewis wrote:
>>>>>>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I
>>>>>>>> did that because I could not change the integer in primaryGroupID wit
>>>>>>>> ldbedt as root.
>>>>>>>>
>>>>>>>> I mapped to to a new attribute called gidNumber which has no specific
>>>>>>>> meaning in samba. Is there any potential problems that can arise from
>>>>>>>> doing that. Is there a better way to fix that problem?
>>>>>>>>
>>>>>>> Hmm, definitely going to need more info here, gidNumber has a specific
>>>>>>> meaning to samba, depending on how you set up samba.
>>>>>>> Rowland
>>>>>>>
>>>>>> I took the defaults except for rfc2307 which I enabled. I am running
>>>>>> Samba Version 4.1.11-Debian.
>>>>> Yes, but what as ?? an AD DC or in classic mode i.e. just like samba3
>>>>> Might be best if you post your smb.conf (sanitised )
>>>>>
>>>>> Rowland
>>>> I attached it to this email.
>>>>
>>>>
>>> OK, so you are running samba4 as an AD DC, gidNumber definitely means
>>> something and if you want to change a users primarygroup, you need to do
>>> something like this:
>>>
>>> First give the group that you want to be the new primarygroup a
>>> gidNumber (told you it means something)
>>> next, make sure the user is a member of this group, if not, add user to
>>> group
>>> get the groups RID
>>> change the users primaryGroupID attribute to the groups RID
>>> AD will do the rest
>>>
>>> Rowland
>>>
>> What attribute is the group's RID?
>>
>>
> I figured out that the RID was the last few numbers on the end of the
> objectSid.
>
> How do I change the object Rid so I can change the GID of the group?
You don't change the RID
Every object in AD has an objectSid attribute, this consists of the the
domain SID (this is unique to the domain) with the users/groups unique
RID on the end.
As standard, every users primaryGroupID is set to 513, this is the RID
for Domain Users, so every users primary group is Domain users, even
though they do not show as being a member in AD. If you want to change a
users primary group, you need to add the user to a group, get the
objectSid of this group and then change the contents of the
primaryGroupID attribute to this RID.
Having said all that, I think that you may be talking about AD from the
Linux point of view, if so then that is a different thing all together.
Rowland
More information about the samba
mailing list