[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 12 20:38:38 UTC 2015

On 12/09/15 21:18, Jim Seymour wrote:
> On Sat, 12 Sep 2015 17:59:54 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> [snip]
>> OK, now you will need an ldif like this:
>> dn: CN=Test User,CN=Users,DC=example,DC=com
>> changetype: modify
>> add: uid
>> uid: user
> Where you write "user" in your example, you mean "username," as
> opposed to UID, correct?

Nope, the users cn is Test User, but the users samaccountname is 'user', 
you need to set the attribute 'uid' (not to be confused with any other 
version of uid) to whatever the 'sAMAccountName' attribute contains, in 
this case 'user'

> [snip]
>> -
>> add: msSFU30NisDomain
>> msSFU30NisDomain: example # change this to your lowercase domain
>> name
> By "domain" ("example" in your example), do you mean the "Samba NT
> Domain" (what shows up for "workgroup =" in smb.conf) or the domain
> in which the AD DC resides, minus the TLD?  (e.g.: "example.com"
> less the ".com" or "dc.example.com" less the ".com"?)  I *suspect*
> you mean the "NT Domain" or workgroup name.
> [snip]

Yes, Samba NT Domain, NetBIOS name or workgroup name, definitely not the 
DNS domain.

>> -
>> add: gidNumber
>> gidNumber: 10000 # what ever gidNumber you gave to Domain Users
> This is the number you earlier said most people set to 513 or 20513,
> yes?  Is there a reason most people use one of those numbers?  Is
> there a common/traditional Unix group name associated with whatever
> that GID is?  (e.g.: "domusers," "ntusers" or the like?)

The RID for Domain Users in AD is always 513 (it is one of the 'well 
known RIDs') some people use the RID, others add something to the front 
of 513, yet others use any number.

> [snip]
>> -
>> add: unixUserPassword
>> unixUserPassword: ABCD!efgh12345$67890 # dummy unix password that
>> ADUC gives to all Unix users
> Is this a no-op field, or should (can) it have the Unix password, or
> should it explicitly *not* have the Unix password or what?

To be honest, it doesn't really need to be added, but this is what 
windows adds, there is something called 'ssod' supplied by microsoft 
that will syncronise the AD and Unix passwords, if this is running (and 
it won't be, it doesn't seem to compile on Unix anymore) 
'unixUserPassword' will contain the AD password but hashed in some form 
or other.


> [remainder: snip]
> Thanks Again,
> Jim

More information about the samba mailing list