[Samba] Avoiding uid conflicts between rfc2307 user/groups and computers
prunkdump at gmail.com
Mon Jan 15 18:51:12 UTC 2018
Thank again for your help !
2018-01-12 21:26 GMT+01:00 Rowland Penny <rpenny at samba.org>:
> The problem is, you are thinking in the wrong direction ;-)
> If you give a user a uidNumber, or a group a gidNumber, these will be
> used instead of the xidNumbers found in idmap.ldb, you do not need to
> alter idmap.ldb at all.
> The way ADUC works, is by using a couple of attributes, that, by default
> Samba AD doesn't have. These are 'msSFU30MaxUidNumber' &
> 'msSFU30MaxGidNumber' and they hold the next uidNumber & gidNumber.
> They should be in:
> Where 'samdom' is your lowercase workgroup and
> 'DC=samdom,DC=example,DC=com' is your realm/dns domain.
> If you can write scripts, I am sure you can figure out how to use
> them ;-)
> If not, contact me off list and I will provide a sample.
On my SAM database I have an CN=samdom,CN=ypservers entry :
# ldbsearch -H /var/lib/samba/private/sam.ldb -s base -b
# record 1
But there is no msSFU30MaxUidNumber and msSFU30MaxGidNumber values.
Do you know if this current entry was created by samba or by some
Windows administration tools ?
Do you know if I need to add a class to add the msSFU30MaxUidNumber
and msSFU30MaxGidNumber values ?
(I don't know how to read schema specification directly inside the database)
2018-01-15 16:18 GMT+01:00 Kacper Wirski via samba <samba at lists.samba.org>:
> I understand the OP, I was asking some time ago similar question, but it was
> in relation to samba domain member. I couldn't get backend: ad to work for
> machine accounts, so i switched to idmap: rid and it solved everything. I
> tried manually adding UID and GID to Domain Computer group and to machine
> accounts, but it didn't seem to work properly, so I gave up especially that
> RID was perfectly fine.
Thanks, but I also use the others rfc2307 attributes. Not only
uidNumber and gidNumber. So I need to keep all the rfc2307 values
updated and I can't switch to RID. Moreover, the file system is also
exported by NFSv4 so I need consistant ID on all the
On my Linux clients I use a special script to join the computer to the
domain. So there is no problem setting the host parameters in AD
database. But from Windows client I have no control.
Thank again !
More information about the samba