[Samba] xidNumber and gidNumber
Kees van Vloten
keesvanvloten at gmail.com
Fri Sep 8 10:43:13 UTC 2023
The other day you touched an interesting topic along the lines.
I have been assigning the default AD groups (all of them) such as
'domain admins' and 'domain users' a gidNumber on my domains.
I am using rfc2307 everywhere, which is reflected by 'idmap config
<domain>:backend = ad' and 'idmap config <domain>:schema_mode =
rfc2307' on member-servers.
Until yesterday there was 'idmap_ldb:use rfc2307 = yes' on the DCs, but
as you correctly pointed out that makes the id resolving dependent on
the state of winbind's cache and if wrong sysvol is broken. Fortunately
I never had that issue but it is very dangerous. The option
'idmap_ldb:use rfc2307 = yes' gets added automatically when you
provision with '--use-rfc2307', so it needs explicit removal, good to
On the DCs (and only there) the default AD groups normally resolve to
their xidNumber and rightfully so. With backend=ad they will *not*
resolve to anything on member-servers if gidNumber is not set. That in
turn is a problem for example with permissions on file-shares (as I want
to grant permissions to 'domain users'), so I do want those groups to
resolve to a gid on member-servers.
At the moment I assign them free gidNumbers from the designated range.
As a result the gid on member-servers differs from the one (xidNumber)
on the DCs. I have not had any troubles with that difference but I would
think it is undesirable.
The easiest way to make them identical would be for Samba to present the
xidNumbers over the wire to member-servers, but I guess no such option
exists. Another way of getting it done is for my script to lookup gid
(xidNumber) on the DC and put it in the gidNumber of that group.
What are your thoughts on this topic? Make them identical, better not do
that or perhaps it does not matter at all?
More information about the samba