[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers

Rowland Penny rpenny at samba.org
Fri Jan 12 20:26:08 UTC 2018 

On Fri, 12 Jan 2018 21:01:57 +0100
Prunk Dump via samba <samba at lists.samba.org> wrote:

> Thank you very much for your help !!
> 
> The problem is that I need a way to create the ID numbers without
> overwriting the previous one as I don't use ADUC but shell scripts.
> This is why I use the xidNumber generation (on one specific DC) that
> take care of that. This idea is not from me, it was used long time ago
> by a Spanish IT that often come here ;) ( but his method has changed
> maybe .... )
> 
> Is there a way built in Samba to do it ? Because, as my shares are
> also exported with NFSv4, I need consistent id mapping between Samba
> and NFS. This also help backing up files because they can be restored
> on any file server by saving the ACLs and xattrs.
> 
> Do you think that is a good idea to assign to rfc2307 the xidNumber +
> 100000 to avoid idmap.ldb overwriting the ID ?

The problem is, you are thinking in the wrong direction ;-)
If you give a user a uidNumber, or a group a gidNumber, these will be
used instead of the xidNumbers found in idmap.ldb, you do not need to
alter idmap.ldb at all.
The way ADUC works, is by using a couple of attributes, that, by default
Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber.
They should be in:
dn:
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com

Where 'samdom' is your lowercase workgroup and
'DC=samdom,DC=example,DC=com' is your realm/dns domain.

If you can write scripts, I am sure you can figure out how to use
them ;-)
If not, contact me off list and I will provide a sample.

> 
> But there is still a problem for computer accounts. Is there exist a
> automatic way to assign uidNumbers to computers when joining to the
> domain ?
> 

Not when the computer is joined (as far as I am aware), but you may be
able to pre-create the computers object (with uidNumber) before the
join, but I have never tried it.

Rowland

More information about the samba mailing list