[Samba] Samba + sssd deployment: success and failure

Rowland penny rpenny at samba.org
Thu Jun 13 16:41:07 UTC 2019

On 13/06/2019 17:17, Goetz, Patrick G via samba wrote:
> On 6/13/19 10:48 AM, Alexey A Nikitin via samba wrote:
>> According to the MS docs SID=('S-'+version+identifier authority value+domain or computer identifier+RID). The SIDs that don't contain RID are the special cases of Machine SID, Domain SID, Service SID, and some predefined universal well-known SIDs [1]. According to the common use in MS tools SID encompasses RID. And even in Samba (wbinfo immediately comes to mind) SID also encompasses RID. More generally, the definition of SID is a unique identifier for a security principal, and to match that definition one security principal within a domain (or a local machine) has to be distinguished from another security principal within the same domain or machine, which is achieved through the RID part of the SID. So, RID is just a (sometimes optional, but in those contexts "SID+RID" also doesn't make any sense) part of SID, not a separate and independent piece.
> I think the relevant question (and the reason this came up) is that I
> want the UID mapping to be:
>       linux UID = domain RID
> I was calling it an SID (which, based on talking to Windows admins, I'm
> surmising is understood to mean RID, depending on context).  Anyway,
> that was the genesis of this discussion.  To give a concrete example,
> Running this command on one of sssd linux domain members:
> root at kraken:/home/pgoetz# getent passwd pgoetz
> pgoetz:*:1562224688:1007000513:Goetz Patrick G
> (pgoetz):/home/pgoetz:/bin/bash
> 1562224688 is my domain RID, 1007000513 is the RID for the Domain Users
> group:

I doubt very much that your Windows RID is '1562224688', well not unless 
you have an extremely large domain, it is more likely to be '4688'

If you want your Unix ID to be exactly the same as your Windows RID, you 
could use the winbind 'rid' backend and use lines similar to these:

idmap config DOMAIN : backend = rid

idmap config DOMAIN : range = 0-a_number_larger than the largest_RID_in_AD

With that getent would return something like this:

pgoetz:*:4688:513:Goetz Patrick G

However, I wouldn't recommended that range, you couldn't have any local users.


More information about the samba mailing list