[Samba] Automatically assigning uidNumber / gidNumber attributes
jonathon.reinhart at gmail.com
Wed Jun 5 20:12:45 UTC 2019
I'm working on a script to automatically assign uidNumber and gidNumber
attributes to users. I have a few questions:
1) Which users should be excluded from this assignment?
I'm currently using this LDAP filter (simplified syntax used here):
(objectClass=user) & (objectCategory=Person) & ~(sAMAccountName=krbtgt*)
Specifically, based on recent conversations, I'm wondering if
Administrator should have uidNumber assigned.
2) Which groups should be excluded?
I'm currently using:
In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
I'm assuming that means it should be avoided? What other groups should
be avoided, and why?
3) Should I assign user gidNumbers?
I'm assigning user gidNumber by resolving their primaryGroupID RID to
the group, and copying that gidNumber. As I understand, the idmap_ad
plugin for Winbind applies this same logic if unix_primary_group is set
to "no" (the default). Is there any reason that my script should not set
I'm using the range 100000-200000 for both uidNumber and gidNumber. From
everything I've read this shouldn't conflict with anything, even if I
extend it up towards 1M.
My script stores the "next uidNumber" and "next gidNumber" to assign in
a local file. I could use MAX(uidNumber) but that could be problematic
if the highest-valued user is deleted. It'd be great if I could somehow
store these values in LDAP, but I'm not seeing a way to do that.
I intend to release the script as open-source after it gets a few miles
on it :-)
More information about the samba