[Samba] How are user and group SID's generated?

Rowland penny rpenny at samba.org
Tue Mar 31 14:15:44 UTC 2020

On 31/03/2020 14:29, Dan Stevenson wrote:
> Rowland,
> No problem, thanks for replying.
> I use a shell script to add users and set permissions. The actual 
> adding of new users to the shell and setting Samba passwords is just 
> done by the standard useradd and pdbedit commands. I do not use sssd.
Ah, light dawns, if you use pdbedit, then you are adding things to the 
SAM on a standalone server that you only need on a PDC.
> Here is example of what happens when I add a user and Samba creates an 
> SID for that user which is an exact duplicate of an existing group SID.
> Before adding the new user I can check to verify the SID for my 
> "management" group like so:
>> sudo net groupmap list
>> management (*S-1-5-21-979328919-1982131190-3311040992-1026*) -> 
>> management
> If I check the properties of the /Apps/managers folder from a Windows 
> workstation that has a drive mapped to the /Apps share and look at the 
> security tab I can see that the "management" group is listed and has 
> full permission as it should be. I would provide a screenshot but I 
> don't believe that is supported in the mailing list?
> I would like to know how Samba determines what SID to assign to a new 
> user and if there is a way I can limit the generated user SID's to a 
> range that will never overlap with my group SID's?

That is what I was saying, you have a standalone server, so you don't 
need to bother with the SID, perhaps reading this might help:


Basically it boils down to creating a user with the unix tools: useradd

You then make them Samba users: smbpasswd -a username

It sounds like you are either trying too hard, or not hard enough ;-)

By that I mean, you seem to want to run a domain, but don't want to 
actually set one up.


More information about the samba mailing list