[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
jseymour at LinxNet.com
Tue Sep 15 15:42:45 UTC 2015
On Tue, 15 Sep 2015 13:53:36 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> On 15/09/15 13:23, Jim Seymour wrote:
> > On Tue, 15 Sep 2015 12:38:11 +0100
> No, don't use the groups gidNumber, use its RID
> Find the groups objectSid, it will look like this:
> objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1633
> The number you need is the one on the end, it is known as the 'RID'
> or Relative ID, it is unique in the domain, so you would change '513'
> to (in this case) '1633'
You've been referring to "RID' all along, and I'd meant to either ask
what that was or look it up. Now I know.
> >> I personally wouldn't bother though, just leave every bodies
> >> primary group as Domain Users.
> > Then every file and directory the user creates ends up with the same
> > group identity as every other user on the system.
> Yes but you don't allow Domain Users any access etc via ACLs
> > Are you suggesting elements such as unixHomeDirectory, loginShell,
> > etc. have no meaning, either?
> sigh, yes, but only on the DC, they work everywhere else, I actually
> reported a bug report on this when Samba stopped using the builtin
> winbind and moved to a separate winbinnd, but no result so far.
Ok... *now* we may have finally hit an insurmountable show-stopper.
> is one of the reasons why it is not recommended to use the DC as a
I really mean no offense toward the Samba4 development team, but this
is a rather astonishing bug, IMO. Doubly-so as it's been reported, but
> Samba 4 running as an AD DC is trying to do everything that a windows
> DC does, therefore it has to work like a windows DC, but quite a lot
> of what you can do with LDAP can still be done with Samba 4.
Depends on what one means by "quite a lot" and how LDAP (OpenLDAP, in
our case) is being used and had intended to be used in the future.
Our Sun boxen are using NIS+. Our MS-Win and Linux boxen have been
stand-alone. We had really *hoped* Samba + OpenLDAP would end all
that. Looks like, now, it just moves the line between what uses a
network directory from between "Sun Boxen and everything else" to
"between MS-Win boxen and everything else."
That's an improvement, I suppose, but only because there are more
MS-Win machines than Sun + Linux machines, but it's *far* from optimal.
Oh, and we'll lose our LDAP-based addressbook in the process. And any
hope of the outside-available services (email, webmail, calendaring,
tasks lists, etc.) participating in SSO.
[working on shares: snip]
> > I hadn't posted about that because it's apparent I've some reading
> > to do, and I do try to work things out, for myself, first :)
> I am fairly sure I have said this, forget Unix permissions 'ugo' and
> only use ACLs, they have greater scope.
Probably so. Like I said: It was just the first few tentative steps.
On Tue, 15 Sep 2015 14:48:57 +0200
mathias dufresne <infractory at gmail.com> wrote:
> In one word: virtualisation.
> That's what I was thinking about when I start speaking about
> splitting your environment.
> For sure virtualisation needs time. Time to learn it, time to deploy
The thought had occurred to me, Mathias, but... time. Time is the
We haven't yet had a real *need*, per se, to employ virtualization, so,
other than understanding it in a conceptual way: I know absolutely
*nothing* about it.
I'm backed-up from here to the next millennium in projects. I don't
think I can throw another on the fire.
Me: Boss, this Samba4 AD DC thing isn't going to work "right out of
the box." Due to some bugs/lacks-in-functionality: We'll have to
either deploy a second piece of hardware or virtualize the new one I'm
already working on.
Boss: Don't want a second server. What'll it take to redo the work
you've done in a virtualized environment?
Me: Dunno. Never done it before.
Boss: Dump the AD. We've been living without it. We'll keep living
without it. Get the new server going and be done with it. We
have other work to do.
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
More information about the samba