[Samba] Problems with groups, minimum gidnumber?

[Harald Hannelius]

On Fri, 15 May 2020, Rowland penny via samba wrote:
> On 15/05/2020 16:33, Harald Hannelius wrote:
>> If there's a way to copy the sambaNTPassword password-hash from the LDAP 
>> for the Samba 3 DC with samba-tool I would have loved to find that 
>> information long ago :)
> Why do you need the sambaNTPassword ?

So the users would have the same password. I don't have time to wait for our 
IDM to change the passwords one by one.

>> So the "idmap config sad:range" is for both uid's and gid's? There's no 
>> separate range for gid's?
> No, they both use the same range.

I see.

>> I have read these, and followed the instructions. What I don't understand 
>> is why one user uid 510, gid 100 works with all groups and another user 
>> with uid 527, gid 100 doesn't.
>> 
>> What isn't clear is are really uid's and gid's in the same number space in 
>> Samba? What if a user has the same uid as a group's gid?
> Because the user or group object in AD has a unique SID, this is what counts 
> for authentication.
>
> As in most cases, it looks like you might have been better off creating a 
> totally new AD domain with new Unix UID & GID numbers, this would have 
> allowed you to get away for the big mistake that was made with NT4-style 
> domains, using the RID as the Unix ID.

That migh be true. I have two large filesystems with users and groups that 
would have required migration in that case. Which would have been an even 
greater mess I think.

But since my users now have uidNumber: in AD, don't they use that as uid and 
not the RID?

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020