[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
jseymour at LinxNet.com
Sat Sep 12 23:38:07 UTC 2015
On Sat, 12 Sep 2015 21:47:28 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> On 12/09/15 21:26, Jim Seymour wrote:
> > Ah, well... Now there's the question of what attributes are
> > required to create a group. I suppose I can just dump the
> > existing ldap db and see what groups are already there.
> ldif to create group:
> dn: CN=<groupname>,CN=Users,DC=example,DC=com
> objectClass: group
> cn: <groupname>
> name: <groupname>
> sAMAccountName: <groupname>
> distinguishedName: CN=<groupname>,CN=Users,DC=example,DC=com
Thanks! (That'll make life a bit easier :).)
> > You mean by setting their gidNumber attribute to that group,
> > rather than whatever GID was given to "Domain Users"?, in their
> > sam.ldb record?
> > But I thought you earlier said that would Break Things?
> No' what I said was (in a way you didn't understand) don't change
> the 'primaryGroupID' attribute, this is what makes the user a
> member of Domain Users
> The users 'primaryGroupID' != the Unix users primary group id (this
> is what is stored in the 'gidNumber' attribute)
> >> As you are probably
> >> aware, on Unix you can only set the permissions for the user,
> >> group or other, but with NTFS ACLs you can set them for user1,
> >> user2, group1, group2 etc etc, all at the same time.
> > You can do the same under Unix/Linux with setfacl. I've been
> > doing that for years.
> Good, then you know how to use it :-)
N.B.: And let this be a warning to Unix/Linux Admins: Not all
Unix/Linux backup/archiving utilities preserve and restore ACLs.
Some won't do it at all. Others require command-line switches.
> There has been religious wars on here about calling 'Unix
> permissions' ACLs :-D
There's nothing about which to argue: There are *nix permissions and
there are ACLs. They are not the same thing, although they're used
to the same end: Determining who has what access to what.
Thanks for all your help, Rowland! It has been, literally,
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
More information about the samba