[Samba] Windows pre-requisites for login with winbind?

[Rowland Penny]

On Wed, 23 Aug 2017 14:39:19 +0000
"A. James Lewis" <james at fsck.co.uk> wrote:

> OK, that is the answer, but can you explain what an "RID" is from a
> Windows perspective?... I had thought that the mapping was not a 1-1,
> and it appears it is, once the idmap range is taken into account.
> 
> idmap config DOMAIN:range = 5000-300000
> 
> My UID's appear to be offset by 5000 from the RID... but I'd love to
> know exactly what RID is.
> 
> Many thanks tho, I probably should have tried increasing this cap
> earlier!
> 
> James

Not a problem, as you may or may not know, Unix uses numeric IDs to
identify users & groups and names to identify domains. For instance
'SAMDOM\rowland is a member of the SAMDOM domain with the id '10000'.

Windows does something similar, it uses 'SID-RID' to identify users and
groups, in fact anything.

The SID identifies the domain and the RID identifies the object (which
can be a user, group, etc)

A typical SID-RID will look like this:

S-1-5-21-1768301897-3342589593-1064908849-1107

The SID is the 'S-1-5-21-1768301897-3342589593-1064908849' part
The RID is the last part '1107'

The SID is used extensively in the AD database and is always the same
(in each AD)

The RID is unique to the object and is never reused.

I hope this helps you understand things a bit better.

Rowland