[Samba] Automatically assigning uidNumber / gidNumber attributes

Rowland penny rpenny at samba.org
Wed Jun 5 20:40:40 UTC 2019

On 05/06/2019 21:12, Jonathon Reinhart via samba wrote:
> All,
> I'm working on a script to automatically assign uidNumber and gidNumber
> attributes to users. I have a few questions:
> 1) Which users should be excluded from this assignment?
Any you want to be visible to Unix
> I'm currently using this LDAP filter (simplified syntax used here):
> (objectClass=user) & (objectCategory=Person) & ~(sAMAccountName=krbtgt*)
Try (&(objectCategory=person)(objectClass=user)) or 
> Specifically, based on recent conversations, I'm wondering if
> Administrator should have uidNumber assigned.
No, this would turn it into a normal Unix user
> 2) Which groups should be excluded?
Just about all the groups that a provision provides, with the exception 
of Domain Users
> I'm currently using:
> (objectClass=group)
> https://lists.samba.org/archive/samba/2019-June/223478.html
> In this post, Rowland said "Oh good, 'Domain Admins' doesn't have a
> gidNumber attribute."
Domain Admins is a group that must own files in Sysvol. Samba runs on 
Unix and groups cannot own files on Unix, so Domain Admins is mapped as 
ID_TYPE_BOTH in idmap.ldb on the DC, this makes Domain Admins a group 
and a user. If you give Domain Admins a gidNumber attribute, it becomes 
just a group and cannot own files.
> I'm assuming that means it should be avoided? What other groups should
> be avoided, and why?
See Above.
> 3) Should I assign user gidNumbers?
This is entirely up to you, they will only really be used if you use 
'idmap config DOMAIN : unix_primary_group = yes'
> I'm assigning user gidNumber by resolving their primaryGroupID RID to
> the group, and copying that gidNumber. As I understand, the idmap_ad
> plugin for Winbind applies this same logic if unix_primary_group is set
> to "no" (the default). Is there any reason that my script should not set
> gidNumber?
> ---
If you do the above, there is absolutely no point in setting the 
gidNumber attribute on a user.
> I'm using the range 100000-200000 for both uidNumber and gidNumber. From
> everything I've read this shouldn't conflict with anything, even if I
> extend it up towards 1M.
This is not a problem, a user with the uidNumber '10000' will never be 
mistaken for a group with the same ID
> My script stores the "next uidNumber" and "next gidNumber" to assign in
> a local file. I could use MAX(uidNumber) but that could be problematic
> if the highest-valued user is deleted. It'd be great if I could somehow
> store these values in LDAP, but I'm not seeing a way to do that.

Why not use the two attributes Microsoft used:


You just need to know where to store them ;-)


More information about the samba mailing list