[Samba] How are user and group SID's generated?
Rowland penny
rpenny at samba.org
Tue Mar 31 14:15:44 UTC 2020
On 31/03/2020 14:29, Dan Stevenson wrote:
>
> Rowland,
>
> No problem, thanks for replying.
>
>
>
> I use a shell script to add users and set permissions. The actual
> adding of new users to the shell and setting Samba passwords is just
> done by the standard useradd and pdbedit commands. I do not use sssd.
>
Ah, light dawns, if you use pdbedit, then you are adding things to the
SAM on a standalone server that you only need on a PDC.
>
>
> Here is example of what happens when I add a user and Samba creates an
> SID for that user which is an exact duplicate of an existing group SID.
>
> Before adding the new user I can check to verify the SID for my
> "management" group like so:
>
>> sudo net groupmap list
>> management (*S-1-5-21-979328919-1982131190-3311040992-1026*) ->
>> management
>
> If I check the properties of the /Apps/managers folder from a Windows
> workstation that has a drive mapped to the /Apps share and look at the
> security tab I can see that the "management" group is listed and has
> full permission as it should be. I would provide a screenshot but I
> don't believe that is supported in the mailing list?
>
> I would like to know how Samba determines what SID to assign to a new
> user and if there is a way I can limit the generated user SID's to a
> range that will never overlap with my group SID's?
That is what I was saying, you have a standalone server, so you don't
need to bother with the SID, perhaps reading this might help:
https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Standalone_Server
Basically it boils down to creating a user with the unix tools: useradd
You then make them Samba users: smbpasswd -a username
It sounds like you are either trying too hard, or not hard enough ;-)
By that I mean, you seem to want to run a domain, but don't want to
actually set one up.
Rowland
More information about the samba
mailing list