[Samba] UID translation mystery or Festivus miracle?

Rowland Penny rpenny at samba.org
Mon Jan 10 20:48:40 UTC 2022 

On Mon, 2022-01-10 at 14:31 -0600, Patrick Goetz via samba wrote:
> 
> On 1/4/22 10:28, Rowland Penny via samba wrote:
> > On Tue, 2022-01-04 at 10:05 -0600, Patrick Goetz via samba wrote:
> > > About this, though:
> > > 
> > >   > The magic of 'id_type_both', Samba creates a usergroup if one
> > > does
> > > not
> > >   > exist.
> > > 
> > > I thought of this and used ADUC to look for a pgoetz group in the
> > > domain, but found none. Is this a persistent group, and if so,
> > > how/where
> > > is it stored that it can't be found by ADUC?
> > 
> > Sorry, I didn't tell you enough, you only get the usergroups on a
> > Unix
> > domain member with the 'rid' backend (you may get them with the
> > 'autorid' backend, but I haven't tested it). If you look in
> > idmap.ldb
> > on a DC, you will find 'ID_TYPE_BOTH', but it isn't shown by
> > getent,
> > the same goes for the 'ad' backend on a Unix domain member. On a
> > Unix
> > domain member using the 'rid' backend, you will get something like
> > this:
> > 
> > adminuser at deb11:~$ id rowland
> > uid=11107(rowland) gid=10513(domain_users)
> > groups=10513(domain_users),11107(rowland).................
> > 
> > And
> > 
> > adminuser at deb11:~$ getent group rowland
> > rowland:x:11107:rowland
> > 
> > I can assure you that there isn't a group called 'rowland'
> > anywhere, it
> > is all done in code.
> > 
> 
> This then begs 2 questions:
> 
>   - What then is actually stored in the file inode's GID field?
>     (say, when the underlying filesystem is ext4)
> 
>   - What is the purpose of doing this?
> 
> Also, are you sure the GID isn't physically stored, Rowland?
> 
> pgoetz at data2:~/old-data-server$ id pgoetz
> uid=11103(pgoetz) gid=11112(ea-staff) 
> groups=11112(ea-staff),11103(pgoetz),11113(ea-admins),10513(domain 
> users),3001(BUILTIN\users)
> 
> pgoetz at data2:~/old-data-server$ stat 6_Title-IV.xml
>    File: 6_Title-IV.xml
>    Size: 128853    	Blocks: 256        IO Block: 4096   regular
> file
> Device: 811h/2065d	Inode: 386924595   Links: 1
> Access: (0764/-rwxrw-r--)  Uid: (11103/  pgoetz)   Gid:
> (11103/  pgoetz)
> Access: 2021-09-04 22:06:03.868629689 -0500
> Modify: 2009-12-18 11:07:57.000000000 -0600
> Change: 2022-01-05 06:44:18.265214032 -0600
>   Birth: -
> 
> Is the stat command being fooled too?  I'm very curious about how
> this 
> works.

Of course the GID/group is stored in the ACL, ACE etc but it isn't
stored in AD, it is just created from the users UID by code. It is
available to use, it is just something to be compatible with Unix. It
isn't something to worry about.

Rowland

More information about the samba mailing list