[Samba] Automatically assigning uidNumber / gidNumber attributes
Jonathon Reinhart
jonathon.reinhart at gmail.com
Wed Jun 5 20:12:45 UTC 2019
All,
I'm working on a script to automatically assign uidNumber and gidNumber
attributes to users. I have a few questions:
1) Which users should be excluded from this assignment?
I'm currently using this LDAP filter (simplified syntax used here):
(objectClass=user) & (objectCategory=Person) & ~(sAMAccountName=krbtgt*)
Specifically, based on recent conversations, I'm wondering if
Administrator should have uidNumber assigned.
2) Which groups should be excluded?
I'm currently using:
(objectClass=group)
https://lists.samba.org/archive/samba/2019-June/223478.html
In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
gidNumber attribute."
I'm assuming that means it should be avoided? What other groups should
be avoided, and why?
3) Should I assign user gidNumbers?
I'm assigning user gidNumber by resolving their primaryGroupID RID to
the group, and copying that gidNumber. As I understand, the idmap_ad
plugin for Winbind applies this same logic if unix_primary_group is set
to "no" (the default). Is there any reason that my script should not set
gidNumber?
---
I'm using the range 100000-200000 for both uidNumber and gidNumber. From
everything I've read this shouldn't conflict with anything, even if I
extend it up towards 1M.
My script stores the "next uidNumber" and "next gidNumber" to assign in
a local file. I could use MAX(uidNumber) but that could be problematic
if the highest-valued user is deleted. It'd be great if I could somehow
store these values in LDAP, but I'm not seeing a way to do that.
I intend to release the script as open-source after it gets a few miles
on it :-)
Best regards,
Jonathon
More information about the samba
mailing list