[Samba] Samba3 sambaSID calculation from 32-bit uidNumber?

Rowland penny rpenny at samba.org
Fri Mar 12 16:35:36 UTC 2021


On 12/03/2021 16:14, Harald Hannelius wrote:
>
> On Fri, 12 Mar 2021, Rowland penny via samba wrote:
>
>> On 12/03/2021 15:02, Harald Hannelius via samba wrote:
>>>
>>>
>>> Does anyone know how the sambaSID suffix is calculated when the 
>>> uidNumber is a 32-bit integer?
>>>
>>> The formula was $uidNumber * 2 + 1000
>>>
>>> When checking our current users, my uid 5xx checks out correct, but 
>>> the ones that are larger than 65536 don't seem to follow that 
>>> calculation.
>>>
>>> Thanks,
>>>
>>>   a dinosaur
>>>
>>
>> Sheesh, that is old 😁
>
> Hey! Not *that* old...
>
>> It was actually '1000 + ($UnixID * 2)' and the result (RID) was 
>> appended to the end of the Samba created SID. As the largest Unix ID 
>> is 65536 (unless you have changed it), I cannot see how you can have 
>> a RID greater than 132072.
>
> Unix (And Linux) systems these days have 32-bit Unix ID numbers. Linux 
> from 2.4 in 2001 I think.


They might have, but (on Debian):

grep '^UID_MAX' /etc/login.defs | awk '{print $NF}'

produces:

60000

>
> It isn't really an issue. We're shutting down the Samba+LDAP 3.6 
> domain but still have a service that checks passwords directly from 
> the sambaNTPAssword attribute (freeradius).


Wise decision, everything about that has 'INSECURE' written all over it 😂

>
> I don't think it matters what I write into the "MUST" attribute of 
> sambaSID, but I'm curious as always. It might work as well if we just 
> use the same *2 and + 1000 for 32-bit uidNumbers but my curiosity woke 
> when I noticed that it doesn't match new users.
>

Yes, it shouldn't matter, but if you are scripting user & group 
creation, then the method shouldn't have changed.

Rowland





More information about the samba mailing list