[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Mon Sep 14 17:45:48 UTC 2015

On 14/09/15 18:14, Jim Seymour wrote:
> On Mon, 14 Sep 2015 13:36:31 -0300
> Guilherme Boing <kolt+samba at frag.com.br> wrote:
>> Are you using nslcd by any chance ?
> [snip]
> Nope.
> On Mon, 14 Sep 2015 18:56:20 +0200
> buhorojo <buhorojo.lcb at gmail.com> wrote:
> [snip]
>> getent returns primaryGroupID, not gidNumber
> I can see that.
> So what is the point of gidNumber in a user's record if it does
> essentially nothing other than to take up space, possibly duplicate
> another entry (primaryGroupID) or possibly be misleading?
> Regards,
> Jim

OK, now you have got this far, I will drop the bomb on you, you *don't* 
actually need the 'gidNumber' attribute for a user, you need it for 
groups, but not users!

Group membership in AD is done by member/memberof attributes, you add a 
'member' attribute containing the 'dn' of the user to the group object 
and AD does the rest, if you go and examine the users object, you will 
now find that a 'memberof' attribute containing the groups dn has been 
added. The only exception to this rule is Domain Users, membership is 
governed by the primaryGroupID attribute.

You allow access, read & write etc to files & directories with ACLs, if 
the user trying to do something to a file or directory doesn't have an 
ACL set, they will not be allowed to do whatever it was they tried.


More information about the samba mailing list