[Samba] Classicupgrade : was id maping

Andrew Bartlett abartlet at samba.org
Wed Feb 22 23:13:34 UTC 2017

On Mon, 2017-02-20 at 13:30 +0000, Rowland Penny via samba wrote:
> On Mon, 20 Feb 2017 12:40:00 +0000
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> > Well it would, Domain Users seems to have the gidNuber '513' and
> > this
> > is lower than your lower domain setting '4000'
> > 
> I am beginning to wonder if upgrading an NT4-style PDC to a DC is a
> good idea.
> Linux starts its normal user base at '1000' (and yes, red-hat used to
> start at 500) and it has been like this for a long time. Samba
> allowed
> Domain user & group RIDs to be used for u/gidNumbers, this was a
> stupid
> idea in my opinion.
> 'Domain Users' is 513 
> 'Domain Admins' is 512
> So we now have the problem that a user is trying to setup a 'idmap
> config' line in smb.conf on a domain member, he is going to have to
> use something like this:
> 	idmap config DOMAIN: range = 500-999999
> Which means that he cannot have any local Unix users at all, so what
> happens if something goes wrong with Samba on that domain member and
> root login is disabled except at the console and the console isn't
> easily accessible ?
> Should we be recommending setting up a new domain instead of
> upgrading
> the old PDC, or changing any low u/gidNumbers ??? or what ???

RID values are not converted directly to UID or GID values in the way
you suppose.  

I think there is some confusion between the uidNumber / gidNumber and
the user's RID (in objectSID) / primaryGroupID here.

Andrew Bartlett

More information about the samba mailing list