[Samba] Samba AD PDC , LDAP and Single-Sign-On

Rowland Penny rowlandpenny241155 at gmail.com
Fri Oct 9 18:25:18 UTC 2015


On 09/10/15 18:09, Mark Foley wrote:
> Rowland - thanks for your reply. I did send a message after this one you
> responded to with several other questions, but I'll pursue questioning on
> GID/UID in this reply as that is what you've mainly discussed. But, please check
> out that next email for other questions. Thanks.
>
> For a particular domain user in the AD, wbinfo gives:
>
> $ wbinfo -i mark
> HPRS\mark:*:3000026:100:Mark Foley:/home/HPRS/mark:/bin/false

Ah but those numbers *do not* come from AD, they come from 'idmap.ldb'
You can change them easily by adding a uidNumber to each user and a 
gidNumber to Domain Users. What numbers you use is up to you, but ADUC 
starts them at '10000'. Another thing that you should be aware of is, 
the numbers you refer to will only occur on a DC, you will never see 
them on a Unix member server or workstation.

>
> Main question: what should the range settings be in my client smb.conf? Or, are
> these really bad GID/UIDs to use and I should change them?

See the smb.conf on the member server wiki page, just be aware that you 
can use the same range for users and groups i.e. the uidNumber 10000 is 
not the same as gidNumber 10000

> Background: why do I have these GID(100) UIDs(300000xx)? The answer is that I
> created domain users on the AD via RSAT > Active Directory Users and Computers.
> These are apparently the GID and UID range assigned by default. The ADUC >
> username > properties > Unix Attributes, UID and GID fields are blank, so I
> guess 100:30000xx are picked by default.

Yes, as I said, they are set in idmap.ldb by samba and no you don't have 
to use them

>
> Can I work with what I have or should I change these?

You can work with what you have got, but you don't have to, you can 
change them and if you are only going to use ADUC, I can point you at a 
couple of attributes that will make it easier to create unix users, 
these attributes will store the next uidNumber & gidNumber in AD.

> There are no other actual local users on either the AD or client aside from me
> (100:1000 mfoley) other than the built-in accounts (root, bin, daemon, adm, lp
> ...) and services accounts (dovecot, spamd, mysql, ...).  No other actual local
> users.
>
> How do you recomend I proceed with my idmap range configuration?

/It is up to you, but I would use lower numbers

/Rowland


More information about the samba mailing list