[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 12 16:59:54 UTC 2015

On 12/09/15 14:36, Jim Seymour wrote:
> On Sat, 12 Sep 2015 08:32:17 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> [snip]
>> Samba4 comes with the uidNumber & gidNumber attributes (and a load
>> of others), but they are *not* used as standard, the sysadmin needs
>> to add them.
> Starting at the page you reference, below, I put "uidNumber" into the
> search box.  Now, unless I'm missing it, all that comes up are
> references to it, but no information on how it's used or where to set
> it.

OK, you seem to have found a gap on the wiki, it does seem to expect 
that all the administration is done via ADUC :-)

If you create a new user with samba-tool (and your version is new 
enough), you can create a user and add the required attributes at the 
same time. If you want to add the unix attributes to an all ready 
created AD object, you are going to have to resort to an ldif and 
ldbmodify, ldapmodify or similar (I understand you can do this with 
ADUC, I have never done it this way, so I am unsure how to do it).

To add the unix attributes to a user with the samaccountname of user, 
you will need to find the users 'dn'

ldbsearch -H /var/lib/samba/private/sam.ldb '(samaccountname=user)' | 
grep 'dn'

dn: CN=Test User,CN=Users,DC=example,DC=com

OK, now you will need an ldif like this:

dn: CN=Test User,CN=Users,DC=example,DC=com
changetype: modify
add: uid
uid: user
add: msSFU30Name
msSFU30Name: user
add: msSFU30NisDomain
msSFU30NisDomain: example # change this to your lowercase domain name
add: uidNumber
uidNumber: 10245 # unique number to identify the Unix user
add: gidNumber
gidNumber: 10000 # what ever gidNumber you gave to Domain Users
add: loginShell
loginShell: /bin/bash
add: unixHomeDirectory
unixHomeDirectory: /home/user
add: unixUserPassword
unixUserPassword: ABCD!efgh12345$67890 # dummy unix password that ADUC 
gives to all Unix users

Save this somewhere i.e. /tmp/user.ldif

The above ldif adds all the attributes that ADUC would add if you use 
the Unix Attributes tab, note that you do not and should not add the 
posixAccount objectclass.

Now get a kerberos ticket:

kinit Administrator at EXAMPLE.COM

Now update the user:

ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/user.ldif

To add the gidNumber to Domain Users:

As before, but you don't need to find the dn (unless you have done 
something strange, like moving it)

dn: CN=Domain Users,CN=Users,DC=example,DC=com
changetype: modify
add: msSFU30NisDomain
msSFU30NisDomain: example
add: msSFU30Name
msSFU30Name: Domain Users
add: gidNumber
gidNumber: 10000

save it as /tmp/group.ldif

and then modify Domain Users:

ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/group.ldif

>> Can I suggest you stop reading the docs you are reading and read
>> the samba wiki instead, start here:
>> https://wiki.samba.org/index.php/Main_Page
> The docs I was reading were, in fact:
>      https://wiki.samba.org/index.php/Adding_users_with_samba_tool
>> The number you refer to: '3000026' is an xidNumber and is stored in
>> idmap.ldb, you need to add a 'uidNumber' attribute (containing the
>> UID number you want the user to have) to your users object in AD
>> (sam.ldb), repeat for other users, but the numbers must be unique.
> Of course they must, they'll be Unix UIDs and GIDs.
>> Finally, give the 'Domain Users' object in AD a unique gidNumber
>> attribute, what number you use is up to you, some people just use
>> the RID '513', others use something like '20513', I personally just
>> use '10000'. Whatever number you use, it must unique to that group,
>> but it can be the same as a user, as this shows:
> What is the purpose of doing this and what will be the effect on
> whatever files and directories a MS-Win AD user creates or wants to
> access, please?

Unless Domain Users has a gidNumber, winbind will not work as expected, 
it should have no affect on an AD user apart from making the user work 
with the uidNumbers.

> Can I, should I, may I put gidNumber attributes into individual user
> AD records?  (Matching their [default] *nix gids?)

Ah, somebody else who thinks Samba4 AD works like samba3, you don't have 
individual Unix groups any more, in fact you do not have Unix users any 
more, they are all AD users that are also Unix users. You can change the 
users primary group gid (this is not the users gidNumber) but it is a 
bit involved and it breaks the windows user, windows expects every 
users  primaryGroupID to be 513 (Domain Users).

> Regarding UIDs and GIDs: I've been administering *nix systems since
> SysVR3, incl. variants such as Xenix and QNX.  I know how *nix works,
> and UIDs and GIDs.  What I *do not* understand is how to make Samba4
> play nicely on a *nix server in a heterogeneous computing
> environment.

I hope what I have posted helps, you just have to get your head around 
the differences (no user private groups for instance, you cannot have 
two objects in AD with the same name)
If you have any questions, please ask, the only stupid question is the 
one you don't ask :-D


> Thanks for the help, Rowland.
> Regards,
> Jim

More information about the samba mailing list