Jacob Seeley wrote:> Hello,
> My question revolves around 'User Private Groups'. I noticed my AD
users UID's do not have matching GID's. I came across the following:
>
>
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2596644
>
> This seems to indicate I cannot implement UPG because Windows will not
allow user and groups of the same name.
>
> From an administrative point of view, how do I handle this? Should I be
concerned about this? How will a non UPG setup be different for us Linux users
who are accustomed to having private groups? Essentially, I'm trying to
avoid any unforeseen pitfalls as a result of not having UPGs.
>   
----
    Well one pitfall I can think of -- is on the linux side. 
i.e. on Windows, you an put both users and groups in 'groups', and I
think
samba supports such nesting (needs enabling).  But then lets say you use
the idmap_rid -- How would you specify group-nesting as separate from
the user? 
FWIW , I allocate the groupid's w/users, but I alter the groupnames
for the ones I care to have working with any reliability.
I try to setup my groups to mirror the wingroups, though ran
into some problems with domain groups <=512...
But a snippet from my passwd file:
rsvd_Domain Users_g:x:513:513:Group-Reserved:/var/lib/nobody:/bin/nologin
rsvd_Domain Guests_g:x:514:514:Group-Reserved:/var/lib/nobody:/bin/nologin
rsvd_Domain Computers_g:x:515:515:Group-Reserved:/var/lib/nobody:/bin/bash
rsvd_Domain Controllers_g:x:516:516:Group-Reserved:/var/lib/nobody:/bin/bash
---
I do have the numbers reserved in both files so they line up.
I'm not happy with several limitations in the standard samba setup.. like
artificially limiting rids to >512 (which, means I'd have
to move groups/users as I'm using 'idmap_nss'.  But would
something similar work for you -- suffixes or prefixes?
But I also don't like that samba doesn't list back
its well-known groups - as those are often only well-known if they
you have a windows server.
Dumping out my non-domain, "well known groups" (and a few
domain groups at the end for comparison.  The number
in the middle is the unix GID...Note -- most of those
are not used anywhere and I put them in as reference,
and I noted a few inconsistencies...oh well...
Need 128 bit user numbers!... ;-)
(net groups list -- massaged;
                           S-1-0 :    10100 - Null Authority
                           S-1-1 :    10101 - World Authority
                           S-1-2 :    10102 - Local Authority
                           S-1-3 :    10103 - Creator Authority
                           S-1-4 :    10104 - Non-unique Authority
                           S-1-5 :    10105 - NT Authority
                         S-1-0-0 :    11000 - Nobody
                         S-1-1-0 :    11100 - Everyone
                         S-1-3-0 :    11300 - Creator Owner
                         S-1-3-1 :    11301 - Creator Group
                         S-1-3-2 :    11302 - Creator Owner Server
                         S-1-5-1 :    11501 - Dialup
                         S-1-5-2 :    11502 - Network
                         S-1-5-3 :    11503 - Batch
                         S-1-5-4 :    11504 - Interactive
                         S-1-5-6 :    11506 - Service
                         S-1-5-7 :    11507 - Anonymous
                         S-1-5-8 :    11508 - Proxy
                         S-1-5-9 :    11509 - Enterprise Domain Controllers
                        S-1-5-10 :    11510 - Principal Self
                        S-1-5-11 :    11511 - Authenticated Users
                        S-1-5-12 :    11512 - Restricted Code
                        S-1-5-13 :    11513 - TSUsersGroup
                        S-1-5-19 :    11519 - Local Service
                        S-1-5-20 :    11520 - Network Service
                     S-1-16-4096 : 11604096 - Low Mandatory Level
                     S-1-16-8192 : 11608192 - Medium Mandatory Level
                     S-1-16-8448 : 11608448 - Medium Plus Mandatory Level
                    S-1-16-12288 : 11612288 - High Mandatory Level
                    S-1-16-16384 : 11616384 - System Mandatory Level
                    S-1-5-32-516 :      516 - Domain Controllers
                    S-1-5-32-544 :      544 - Administrators
                    S-1-5-32-545 :      545 - Users
                    S-1-5-32-546 :      546 - Guests
                    S-1-5-32-547 :      547 - Power Users
                    S-1-5-32-548 :      548 - Account Operators
                    S-1-5-32-549 :      549 - Server Operators
                    S-1-5-32-550 :      550 - Print Operators
                    S-1-5-32-551 :      551 - Backup Operators
                    S-1-5-32-552 :      552 - Replicators
              S-1-5-21-1-2-3-512 :      512 - Domain Admins
              S-1-5-21-1-2-3-513 :      513 - Domain Users
              S-1-5-21-1-2-3-514 :      514 - Domain Guests
              S-1-5-21-1-2-3-515 :      515 - Domain Computers