[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Jim Seymour jseymour at LinxNet.com
Tue Sep 15 15:42:45 UTC 2015

On Tue, 15 Sep 2015 13:53:36 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

> On 15/09/15 13:23, Jim Seymour wrote:
> > On Tue, 15 Sep 2015 12:38:11 +0100
> No, don't use the groups gidNumber, use its RID
> Find the groups objectSid, it will look like this:
> objectSid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-1633
> The number you need is the one on the end, it is known as the 'RID'
> or Relative ID, it is unique in the domain, so you would change '513'
> to (in this case) '1633'


You've been referring to "RID' all along, and I'd meant to either ask
what that was or look it up.  Now I know.

> >
> >> I personally wouldn't bother though, just leave every bodies
> >> primary group as Domain Users.
> > Then every file and directory the user creates ends up with the same
> > group identity as every other user on the system.
> Yes but you don't allow Domain Users any access etc via ACLs

Very well.

> > Are you suggesting elements such as unixHomeDirectory, loginShell,
> > etc. have no meaning, either?
> sigh, yes, but only on the DC, they work everywhere else, I actually 
> reported a bug report on this when Samba stopped using the builtin 
> winbind and moved to a separate winbinnd, but no result so far.

Ok... *now* we may have finally hit an insurmountable show-stopper.

> This
> is one of the reasons why it is not recommended to use the DC as a
> fileserver.

I really mean no offense toward the Samba4 development team, but this
is a rather astonishing bug, IMO.  Doubly-so as it's been reported, but
remains un-addressed.

> Samba 4 running as an AD DC is trying to do everything that a windows
> DC does, therefore it has to work like a windows DC, but quite a lot
> of what you can do with LDAP can still be done with Samba 4.

Depends on what one means by "quite a lot" and how LDAP (OpenLDAP, in
our case) is being used and had intended to be used in the future.

Our Sun boxen are using NIS+.  Our MS-Win and Linux boxen have been
stand-alone.  We had really *hoped* Samba + OpenLDAP would end all
that.  Looks like, now, it just moves the line between what uses a
network directory from between "Sun Boxen and everything else" to
"between MS-Win boxen and everything else."

That's an improvement, I suppose, but only because there are more
MS-Win machines than Sun + Linux machines, but it's *far* from optimal.

Oh, and we'll lose our LDAP-based addressbook in the process.  And any
hope of the outside-available services (email, webmail, calendaring,
tasks lists, etc.) participating in SSO.

[working on shares: snip]
> >
> > I hadn't posted about that because it's apparent I've some reading
> > to do, and I do try to work things out, for myself, first :)
> I am fairly sure I have said this, forget Unix permissions 'ugo' and 
> only use ACLs, they have greater scope.

Probably so.  Like I said: It was just the first few tentative steps.

On Tue, 15 Sep 2015 14:48:57 +0200
mathias dufresne <infractory at gmail.com> wrote:

> In one word: virtualisation.
> That's what I was thinking about when I start speaking about
> splitting your environment. 
> For sure virtualisation needs time. Time to learn it, time to deploy

The thought had occurred to me, Mathias, but... time.  Time is the

We haven't yet had a real *need*, per se, to employ virtualization, so,
other than understanding it in a conceptual way: I know absolutely
*nothing* about it.

I'm backed-up from here to the next millennium in projects.  I don't
think I can throw another on the fire.

  Me: Boss, this Samba4 AD DC thing isn't going to work "right out of
      the box."  Due to some bugs/lacks-in-functionality: We'll have to
      either deploy a second piece of hardware or virtualize the new one I'm
      already working on.

Boss: Don't want a second server.  What'll it take to redo the work
      you've done in a virtualized environment?

  Me: Dunno.  Never done it before.

Boss: Dump the AD.  We've been living without it.  We'll keep living
      without it.  Get the new server going and be done with it.  We
      have other work to do.

Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the samba mailing list