[Samba] Best way to generate Unix UIDs and GIDs?
Rowland Penny
rpenny at samba.org
Sun Jan 14 14:51:46 UTC 2018
On Sun, 14 Jan 2018 14:53:15 +0100
Yvan Masson via samba <samba at lists.samba.org> wrote:
> Hi,
>
> For a new samba domain, I need to create users and groups with Unix
> UIDs and GIDs.
>
> In the future, it is possible that there will be a trust with other
> domains, so I need to take care that there won't be any UID/GID
> conflict. Also, I assume that in the future Samba will be able to
> restore deleted objects, so I need to avoid conflicts with those
> objects as well.
>
> This makes me think that a good way would be to generate UIDs/GUIDs
> from SID. I know SSSD does it (apparently not ensuring
> consistency[1]), but I could not find a script that does only this.
> However, I found this python script[2] which seems to be what
> Centrify does.
>
> What do you think about all of this?
>
> Regards,
> Yvan
>
> 1.
> https://funinit.wordpress.com/2017/09/14/integrating-red-hat-with-active-directory/
> 2. https://gist.github.com/msmorul/11217186
>
Can I suggest you read this:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
and this:
https://wiki.samba.org/index.php/Idmap_config_rid
winbind will do what you require, I cannot comment on [1], sssd has
NOTHING to do with Samba. I also cannot recommend using [2], from
examining the script, it would appear that it would be possible to get
the same ID for two users from different domains e.g. if we take these
two SID-RIDS:
S-1-5-21-1768301897-3342589593-1064908849-3601
S-1-5-21-2879412908-4453690604-1064908849-3601
It appears the script would take a portion of the end of the SID, add
'0' the the RID, so they could be:
06490884903601
and
06490884903601
How would Samba and Unix tell them apart ?
Windows could tell the two SID-RIDs apart.
Rowland
More information about the samba
mailing list