[Samba] Get last uidNumber

Andrew Bartlett abartlet at samba.org
Sun Feb 14 23:48:36 UTC 2021 

On Tue, 2020-11-03 at 11:38 -0500, Jonathon Reinhart via samba wrote:
> On Tue, Nov 3, 2020 at 11:25 AM basti via samba <
> samba at lists.samba.org> wrote:
> > Hello,
> > is there a way to get the last uidNumber from ldap.
> > 
> > I can do a ldapsearch like:
> > 
> > ldapsearch -h samdom.example.com -D "
> > administrator at samdom.example.com"
> > -w "changeit"  -b "DC=samdom,DC=example,DC=com" -x -LLL
> > "(uidNumber=*)"
> > uidNumber | grep -Po "(?<=uidNumber: )([0-9]{4})" | sort | tail -n1
> > 
> > But there is no guarantee that the last returned numer is the last
> > uidNumber in LDAP.
> > 
> > Is there a limit set by samba how many lines are returned by a
> > query?
> > Is there a attribute where the last number is stored?
> > 
> > Best Regards
> 
> Hi, it looks like you're trying to assign uidNumber automatically. A
> couple things:
> 
> See this post where Rowland suggested using these attributes to store
> the maximum value in LDAP. (These are not automatically calculated,
> your script would need to keep them updated.)
> 
> - msSFU30MaxUidNumber
> - msSFU30MaxGidNumber

Just be aware that these are not multi-master update safe to update. 

If your domain can get out of sync, just be aware that if your tool is
pointed at an 'older' DC, it could allocate the same UID twice. 

> https://lists.samba.org/archive/samba/2019-June/223499.html
> 
> But also, check out my project ADMan, which does several things, one
> of which is assign uidNumber / gidNumber attributes to new users:
> 
> https://gitlab.com/JonathonReinhart/adman/

Cool.

One thing I would love is to get the uidNumber/gidNumber assignment
into Samba.  I would use something like the algorithm from idmap_sssd
to pick a 'pretty much likely to be unique UID' based on the RID and
then store it forever in the uidNumber.

In the meantime I would suggest to try to do an LDAP atomic update of
the msSFU30MaxUidNumber regardless. 
See https://ldapwiki.com/wiki/LDIF%20Atomic%20Operations for what I
mean.

Sadly Samba as an ideal POSIX directory remains on my 'todo' list.  

Some ideas are here:
https://wiki.samba.org/index.php/Better_Posix_AD

Andrew Bartlett

> Regards,
> Jonathon
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

More information about the samba mailing list