Understood.
Just to confirm there is no way to change the UID of users or manually
assign them? When I do id "user", I get just a UID and several group
IDs, I
do not get anything that starts with a S. I do understand the SID from
Windows is tied somehow to the UID
I cannot setup a trust on my end. The remote share is managed by a
different set of admins, their only option for me to connect is to have the
UIDs that match their database of UIDs. It is a closed network and the UIDs
they have for users is tied to a different authentication resource than our
network.
On Thu, Sep 5, 2019 at 10:30 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 05/09/2019 15:12, Tyrus Shivers via samba wrote:
> > Hello,
> >
> > I am using Winbind and Samba to tie in Linux VMs with a Windows DC for
> > authentication. The UIDs are automatically assigned when I create a
new
> > user in Active Directory.
> As you are using the winbind 'rid' backend, I take it that UID
=> Windows SID
> >
> > I need to manually change the UIDs of my users to a UID that is used
on
> > another network so they can access a specific share. How can I change
the
> > UID successfully and still be able to authenticate with the DC. Also,
how
> > can I manually assign UIDs in the future for new users?
>
> You cannot, the 'SID' will be in the format:
>
> S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-RID
>
> The 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' is what identifies the
domain and
> the 'RID' will be (for normal users and groups) be a unique number
that
> is equal to or larger than '1000'.
>
> if you change the 'xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz' it becomes a
> different domain and will not be recognised by the existing domain and
> may cause it to fail. If you change the RID, it will become a different
> user, group or computer etc
>
> > My smb.conf is below:
> >
> > workgroup = DOMAIN
> > password server = server.domain.com
> Remove the password server line, you should allow Samba to find the most
> appropriate DC.
> > realm = DOMIAN.com
> > security = ads
> > idmap config * : range = 3000-9999
> > idmap config * : backend = rid
> > idmap config DOMAIN : range = 10000-19999
> > idmap config DOMAIN : backend = rid
> > allow trusted domain = no
> If you set 'allow trusted domain = yes' (or just remove the line),
then
> you should be able to set up a trust between your domains to do what you
> require.
> > template shell = /bin/bash
> > kerberos method = secrets only
> > winbind use default domain = true
> > winbind offline logon = false
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind refresh tickets = yes
> > encrypt passwords = yes
> > restrict anonymous = 2
> > template homedir = /home/%D/%U
> >
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
V/R
Tyrus Shivers
Bestgate Engineering LLC
Direct: (410) 872-2457
tyrus.shivers at bestgateeng.com
<tyrus.shivers at bestgateeng.com>
This e-mail transmission and any documents, files or previous e-mail
messages attached to it, may be privileged and confidential and is intended
only for the use of the intended recipient of this message. If you are not
the intended recipient, or a person responsible for delivering it to the
intended recipient, you are hereby notified that any review, disclosure,
retention, copying, dissemination, distribution or use of any of the
information contained in, or attached to this e-mail transmission is
strictly prohibited. If you have received this transmission in error,
please immediately notify the sender by return e-mail or by telephone at
the above number and delete this e-mail message and its attachments.