[Samba] Automatically assigning uidNumber / gidNumber attributes

Jonathon Reinhart jonathon.reinhart at gmail.com
Wed Jun 5 20:12:45 UTC 2019


I'm working on a script to automatically assign uidNumber and gidNumber
attributes to users. I have a few questions:

1) Which users should be excluded from this assignment?

I'm currently using this LDAP filter (simplified syntax used here):
(objectClass=user) & (objectCategory=Person) & ~(sAMAccountName=krbtgt*)

Specifically, based on recent conversations, I'm wondering if
Administrator should have uidNumber assigned.

2) Which groups should be excluded?

I'm currently using:

In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
gidNumber attribute."

I'm assuming that means it should be avoided? What other groups should
be avoided, and why?

3) Should I assign user gidNumbers?

I'm assigning user gidNumber by resolving their primaryGroupID RID to
the group, and copying that gidNumber. As I understand, the idmap_ad
plugin for Winbind applies this same logic if unix_primary_group is set
to "no" (the default). Is there any reason that my script should not set


I'm using the range 100000-200000 for both uidNumber and gidNumber. From
everything I've read this shouldn't conflict with anything, even if I
extend it up towards 1M.

My script stores the "next uidNumber" and "next gidNumber" to assign in
a local file. I could use MAX(uidNumber) but that could be problematic
if the highest-valued user is deleted. It'd be great if I could somehow
store these values in LDAP, but I'm not seeing a way to do that.

I intend to release the script as open-source after it gets a few miles
on it :-)

Best regards,

More information about the samba mailing list