[Samba] Is there any problem that can arise from remapping gidNumber? SOLVED

John Lewis oflameo2 at gmail.com
Tue Jan 13 11:41:39 MST 2015

On 01/13/2015 12:44 PM, Rowland Penny wrote:
> On 13/01/15 17:22, John Lewis wrote:
>> On 01/13/2015 12:03 PM, Rowland Penny wrote:
>>> On 13/01/15 16:25, John Lewis wrote:
>>>> On 01/13/2015 11:10 AM, John Lewis wrote:
>>>> I figured out that the RID was the last few numbers on the end of the
>>>> objectSid.
>>>> How do I change the object Rid so I can change the GID of the group?
>>> You don't change the RID
>>> Every object in AD has an objectSid attribute, this consists of the the
>>> domain SID (this is unique to the domain) with the users/groups unique
>>> RID on the end.
>>> As standard, every users primaryGroupID is set to 513, this is the RID
>>> for Domain Users, so every users primary group is Domain users, even
>>> though they do not show as being a member in AD. If you want to change a
>>> users primary group, you need to add the user to a group, get the
>>> objectSid of this group and then change the contents of the
>>> primaryGroupID attribute to this RID.
>>> Having said all that, I think that you may be talking about AD from the
>>> Linux point of view, if so then that is a different thing all together.
>>> Rowland
>> I am talking about AD from a Linux point of view, and having a GID
>> number of the group tied to the RID sounds like a can of worms.
>> I want the POSIX stuff decoupled from the directory stuff so they get in
>> each other's way.
> OK, you want your Linux users to be authenticated by your AD DC ?
> To do this you need to use rfc2307 attributes, these come as standard
> with samba4, but you may have to add IDMU to a windows AD server, but as
> you mentioned 'uidNumber' it sounds like you already have the rfc2307
> attributes.
> The minimum attributes you need to add are, a 'gidNumber' attribute to
> Domain Users and any other AD groups you want to be visible to Linux,
> users also need a 'uidNumber' and a 'gidNumber', this 'gidNumber' would
> be one that you have given to a domain group.
> You do not need to do anything else on the DC, these numbers will be
> used automatically, but on a member server you need to setup samba to
> use these rfc2307 attributes, see the wiki.
> Rowland

Looks like I got lucky and did it right.

Thank you!

More information about the samba mailing list