[Samba] xidNumber and gidNumber

Kees van Vloten keesvanvloten at gmail.com
Fri Sep 8 10:43:13 UTC 2023

Hi Rowland,

The other day you touched an interesting topic along the lines.

I have been assigning the default AD groups (all of them) such as 
'domain admins' and 'domain users' a gidNumber on my domains.

I am using rfc2307 everywhere, which is reflected by 'idmap config 
<domain>:backend = ad' and 'idmap config <domain>:schema_mode = 
rfc2307'  on member-servers.

Until yesterday there was 'idmap_ldb:use rfc2307 = yes' on the DCs, but 
as you correctly pointed out that makes the id resolving dependent on 
the state of winbind's cache and if wrong sysvol is broken. Fortunately 
I never had that issue but it is very dangerous. The option 
'idmap_ldb:use rfc2307 = yes' gets added automatically when you 
provision with '--use-rfc2307', so it needs explicit removal, good to 
know, thanks!

On the DCs (and only there) the default AD groups normally resolve to 
their xidNumber and rightfully so. With backend=ad they will *not* 
resolve to anything on member-servers if gidNumber is not set. That in 
turn is a problem for example with permissions on file-shares (as I want 
to grant permissions to 'domain users'), so I do want those groups to 
resolve to a gid on member-servers.

At the moment I assign them free gidNumbers from the designated range. 
As a result the gid on member-servers differs from the one (xidNumber) 
on the DCs. I have not had any troubles with that difference but I would 
think it is undesirable.

The easiest way to make them identical would be for Samba to present the 
xidNumbers over the wire to member-servers, but I guess no such option 
exists. Another way of getting it done is for my script to lookup gid 
(xidNumber) on the DC and put it in the gidNumber of that group.

What are your thoughts on this topic? Make them identical, better not do 
that or perhaps it does not matter at all?

- Kees.

More information about the samba mailing list