[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Jim Seymour jseymour at LinxNet.com
Sat Sep 12 18:12:53 UTC 2015

On Sat, 12 Sep 2015 17:59:54 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

> On 12/09/15 14:36, Jim Seymour wrote:
> > On Sat, 12 Sep 2015 08:32:17 +0100
> > Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> >
> > [snip]
> >> Samba4 comes with the uidNumber & gidNumber attributes (and a
> >> load of others), but they are *not* used as standard, the
> >> sysadmin needs to add them.
> > Starting at the page you reference, below, I put "uidNumber" into
> > the search box.  Now, unless I'm missing it, all that comes up are
> > references to it, but no information on how it's used or where to
> > set it.
> OK, you seem to have found a gap on the wiki, it does seem to
> expect that all the administration is done via ADUC :-)

*A* gap?!?!

I've been finding little more than a constant parade of "gaps."  And
it isn't just gaps.  I've had that documentation leave me
anywhere from wondering "WTH are they talking about?" to
taking me entirely down the wrong path.

You might better just take it offline and direct n00bs here.  It's
that bad, IMO.  I don't think I've found a *single* thing there, yet,
that was accurate or complete.

> If you create a new user with samba-tool (and your version is new 
> enough), you can create a user and add the required attributes at
> the same time.

Can you define "new enough?"

> If you want to add the unix attributes to an all
> ready created AD object, you are going to have to resort to an ldif
> and ldbmodify, ldapmodify or similar ...

Got it!  Thanks!

> >
> > Can I, should I, may I put gidNumber attributes into individual
> > user AD records?  (Matching their [default] *nix gids?)
> Ah, somebody else who thinks Samba4 AD works like samba3, you don't
> have individual Unix groups any more, in fact you do not have Unix
> users any more, they are all AD users that are also Unix users.

So all these reams of files and directories on the existing
fileserver, many of which are shared between both MS-Win and *nix
users, what am I supposed to do with them?

I have, for example, project team and departmental directories (w/in
shares), or entire shares, where, for example, the thing has write
permissions only for the group and a special group has been created
and given read-only permissions with an ACL.

> >
> > Regarding UIDs and GIDs: I've been administering *nix systems
> > since SysVR3, incl. variants such as Xenix and QNX.  I know how
> > *nix works, and UIDs and GIDs.  What I *do not* understand is how
> > to make Samba4 play nicely on a *nix server in a heterogeneous
> > computing environment.
> I hope what I have posted helps,

It does.  Thank you *very* much!

> you just have to get your head
> around the differences (no user private groups for instance, you
> cannot have two objects in AD with the same name)
> If you have any questions, please ask, the only stupid question is
> the one you don't ask :-D

I'm not certain we're talking about the same thing.

We have users.  We have groups.  Various users have various groups
either as their primary GID (e.g.: Everybody who works in the Quality
Dept. is in group "quality"), or one of (possibly many) secondary
GIDs (e.g.: others have group "quality" as one of their [possibly
many] secondary groups.)  "Group" directories/shares will have the
sgid bit set and "force" settings in smb.conf.  That way if, for
example, somebody's primary group is "test", but they have membership
in the "quality" group, when they write to the latter group's space,
files and directories will have the proper group ownership.

It sounds to me like you're telling me all that's out the window?
(No pun intended.)  It *sounds* to me like you're telling me users
can't be members of multiple groups?  I don't see how that can
possibly be true.

Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the samba mailing list