[Samba] Quick questions about uid, gid, uidNumber, gidNumber

Rowland Penny rpenny at samba.org
Tue Jul 9 16:52:46 UTC 2024 

On Tue, 9 Jul 2024 13:02:54 -0300
Ricardo Campos via samba <samba at lists.samba.org> wrote:

> Hi.
> 
> I'm trying to fix a mistake I made: I installed an AD-DC, with the
> functions of a file server.
> 
> To solve this problem, I installed a new Samba in a Ubuntu box and
> configured it as defined in
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member.
> This would work as a file server. However, I now understand (a little
> more) the confusion among all these attributes like uid, gid,
> uidNumber, gidNumber.

You do have a problem, there isn't an AD attribute called 'gid' and the
'uid' attribute expects a name.

> 
> I cannot simply discard all the old attributes given to users and
> groups since they were used in the permissions of the unix file
> structure used in the  shares, since there are sort of a million of
> files and folders, whose permissions were defined using acl's.
> 
> On the other hand, I feel insecure to simply remove all idmap
> attributes of the smb.conf in AD. I'm afraid this could disrupt the
> whole thing (despite all the trouble the system is running!).
> 
> So the question is what is the best approach to solve this mess. I
> envisage two possible solutions, both beginning with the
> configuration of the file server with "idmap config <domain> :
> backend = ad":
> 
> 1. keep this same AD I have, editing the smb.conf without the risk of
> wreaking havoc on the whole thing.
> 
> 2. installing a new AD but I'm not sure I could use the same uid's and
> gid's I have now, using them to configure the attributes uidNumber and
> gidNumber. The biggest problem I see is that I already have uid's in
> the range 3000000-3999999 

Where are these IDs in the '30000000' coming from ? 
Did you create them ?
I think your first thing to understand is that Unix IDs are often
referred to as uid & gid numbers, but in AD there are the uidNumber &
gidNumber attributes, whilst they ultimately end up doing the same
thing, they are different. 

> and I'm not sure if I can establish a new
> range for the AD like 3100000-3999999, so that I can keep the old
> ones.
> 
> Thanks for any help.
> 
> Ricardo

I think your best plan is to start again, but first get your head
around Samba AD idmapping, do you really need to use the rfc2307
attributes ? If not (and in my opinion you only need them if you need
the unixHomeDirectory & loginShell attributes) then use the 'rid' idmap
backend and allow Samba to set the user & group IDs from the objects
RID.

It might help if you post the smb.conf files from the DC and Unix
domain member.

Rowland

More information about the samba mailing list