[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Jim Seymour jseymour at LinxNet.com
Tue Sep 15 15:42:45 UTC 2015


On Tue, 15 Sep 2015 13:53:36 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

> On 15/09/15 13:23, Jim Seymour wrote:
> > On Tue, 15 Sep 2015 12:38:11 +0100
[snip]
> 
> No, don't use the groups gidNumber, use its RID
> 
> Find the groups objectSid, it will look like this:
> 
> objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1633
> 
> The number you need is the one on the end, it is known as the 'RID'
> or Relative ID, it is unique in the domain, so you would change '513'
> to (in this case) '1633'

Bingo!

You've been referring to "RID' all along, and I'd meant to either ask
what that was or look it up.  Now I know.

> 
> 
> 
> >
> >> I personally wouldn't bother though, just leave every bodies
> >> primary group as Domain Users.
> > Then every file and directory the user creates ends up with the same
> > group identity as every other user on the system.
> 
> Yes but you don't allow Domain Users any access etc via ACLs

Very well.

> 
[snip]
> > Are you suggesting elements such as unixHomeDirectory, loginShell,
> > etc. have no meaning, either?
> 
> sigh, yes, but only on the DC, they work everywhere else, I actually 
> reported a bug report on this when Samba stopped using the builtin 
> winbind and moved to a separate winbinnd, but no result so far.

Ok... *now* we may have finally hit an insurmountable show-stopper.

> This
> is one of the reasons why it is not recommended to use the DC as a
> fileserver.

I really mean no offense toward the Samba4 development team, but this
is a rather astonishing bug, IMO.  Doubly-so as it's been reported, but
remains un-addressed.

> 
[snip]
> 
> Samba 4 running as an AD DC is trying to do everything that a windows
> DC does, therefore it has to work like a windows DC, but quite a lot
> of what you can do with LDAP can still be done with Samba 4.

Depends on what one means by "quite a lot" and how LDAP (OpenLDAP, in
our case) is being used and had intended to be used in the future.

Our Sun boxen are using NIS+.  Our MS-Win and Linux boxen have been
stand-alone.  We had really *hoped* Samba + OpenLDAP would end all
that.  Looks like, now, it just moves the line between what uses a
network directory from between "Sun Boxen and everything else" to
"between MS-Win boxen and everything else."

That's an improvement, I suppose, but only because there are more
MS-Win machines than Sun + Linux machines, but it's *far* from optimal.

Oh, and we'll lose our LDAP-based addressbook in the process.  And any
hope of the outside-available services (email, webmail, calendaring,
tasks lists, etc.) participating in SSO.

> 
[working on shares: snip]
> >
> > I hadn't posted about that because it's apparent I've some reading
> > to do, and I do try to work things out, for myself, first :)
> 
> I am fairly sure I have said this, forget Unix permissions 'ugo' and 
> only use ACLs, they have greater scope.

Probably so.  Like I said: It was just the first few tentative steps.


On Tue, 15 Sep 2015 14:48:57 +0200
mathias dufresne <infractory at gmail.com> wrote:

> In one word: virtualisation.
> That's what I was thinking about when I start speaking about
> splitting your environment. 
...
> 
> For sure virtualisation needs time. Time to learn it, time to deploy

The thought had occurred to me, Mathias, but... time.  Time is the
problem.

We haven't yet had a real *need*, per se, to employ virtualization, so,
other than understanding it in a conceptual way: I know absolutely
*nothing* about it.

I'm backed-up from here to the next millennium in projects.  I don't
think I can throw another on the fire.

  Me: Boss, this Samba4 AD DC thing isn't going to work "right out of
      the box."  Due to some bugs/lacks-in-functionality: We'll have to
      either deploy a second piece of hardware or virtualize the new one I'm
      already working on.

Boss: Don't want a second server.  What'll it take to redo the work
      you've done in a virtualized environment?

  Me: Dunno.  Never done it before.

Boss: Dump the AD.  We've been living without it.  We'll keep living
      without it.  Get the new server going and be done with it.  We
      have other work to do.

Regards,
Jim
-- 
Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.



More information about the samba mailing list