[Samba] Is there any problem that can arise from remapping gidNumber?

Rowland Penny rowlandpenny at googlemail.com
Tue Jan 13 10:44:19 MST 2015 

On 13/01/15 17:22, John Lewis wrote:
> On 01/13/2015 12:03 PM, Rowland Penny wrote:
>> On 13/01/15 16:25, John Lewis wrote:
>>> On 01/13/2015 11:10 AM, John Lewis wrote:
>>> I figured out that the RID was the last few numbers on the end of the
>>> objectSid.
>>>
>>> How do I change the object Rid so I can change the GID of the group?
>> You don't change the RID
>>
>> Every object in AD has an objectSid attribute, this consists of the the
>> domain SID (this is unique to the domain) with the users/groups unique
>> RID on the end.
>> As standard, every users primaryGroupID is set to 513, this is the RID
>> for Domain Users, so every users primary group is Domain users, even
>> though they do not show as being a member in AD. If you want to change a
>> users primary group, you need to add the user to a group, get the
>> objectSid of this group and then change the contents of the
>> primaryGroupID attribute to this RID.
>>
>> Having said all that, I think that you may be talking about AD from the
>> Linux point of view, if so then that is a different thing all together.
>>
>> Rowland
>>
> I am talking about AD from a Linux point of view, and having a GID
> number of the group tied to the RID sounds like a can of worms.
>
> I want the POSIX stuff decoupled from the directory stuff so they get in
> each other's way.

OK, you want your Linux users to be authenticated by your AD DC ?

To do this you need to use rfc2307 attributes, these come as standard 
with samba4, but you may have to add IDMU to a windows AD server, but as 
you mentioned 'uidNumber' it sounds like you already have the rfc2307 
attributes.

The minimum attributes you need to add are, a 'gidNumber' attribute to 
Domain Users and any other AD groups you want to be visible to Linux, 
users also need a 'uidNumber' and a 'gidNumber', this 'gidNumber' would 
be one that you have given to a domain group.

You do not need to do anything else on the DC, these numbers will be 
used automatically, but on a member server you need to setup samba to 
use these rfc2307 attributes, see the wiki.

Rowland

More information about the samba mailing list