On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba wrote:> Hello samba team. > > I have an AD DC server and winbind generates a UID for a group, for > example > Domain Admins has its GID mapped to a SID and also a UID equal to the > GID > mapped to the same SID. > > I understand the mapping from GID to SID, but why does it generate a > UID > for a group?Because, while a group can own things on Windows, a Unix group cannot, so the group is mapped to a user on a DC, it is known as 'ID_TYPE_BOTH'> > Example output of the wbinfo command: > > wbinfo --group-info domain\\domain\ admins > > Domain\domain admins:x:3000004:The numbers in the '3000000' range are 'xidNumbers' and are only found on Samba AD DCs and unless you sync idmap.ldb between Samba DCs, you will get different IDs on different DC's Rowland
On 09-03-2022 09:16, Rowland Penny via samba wrote:> On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba > wrote: >> Hello samba team. >> >> I have an AD DC server and winbind generates a UID for a group, for >> example >> Domain Admins has its GID mapped to a SID and also a UID equal to the >> GID >> mapped to the same SID. >> >> I understand the mapping from GID to SID, but why does it generate a >> UID >> for a group? > Because, while a group can own things on Windows, a Unix group cannot, > so the group is mapped to a user on a DC, it is known as 'ID_TYPE_BOTH' > >> Example output of the wbinfo command: >> >> wbinfo --group-info domain\\domain\ admins >> >> Domain\domain admins:x:3000004: > The numbers in the '3000000' range are 'xidNumbers' and are only found > on Samba AD DCs and unless you sync idmap.ldb between Samba DCs, you > will get different IDs on different DC'sIt worries me that they are different per DC since files on sysvol use these IDs. Is idmap.ldb part of the standard DC-sync or should I put something like rsync or osync in place similar to sysvol sync?> > Rowland > > >
Hello Rowland. Thanks for the answer. Do you have a link that serves as a reference explaining more about ID_TYPE_BOTH ? Em qua., 9 de mar. de 2022 ?s 05:17, Rowland Penny via samba < samba at lists.samba.org> escreveu:> On Wed, 2022-03-09 at 03:01 -0300, Anderson Sampaio Mello via samba > wrote: > > Hello samba team. > > > > I have an AD DC server and winbind generates a UID for a group, for > > example > > Domain Admins has its GID mapped to a SID and also a UID equal to the > > GID > > mapped to the same SID. > > > > I understand the mapping from GID to SID, but why does it generate a > > UID > > for a group? > > Because, while a group can own things on Windows, a Unix group cannot, > so the group is mapped to a user on a DC, it is known as 'ID_TYPE_BOTH' > > > > > Example output of the wbinfo command: > > > > wbinfo --group-info domain\\domain\ admins > > > > Domain\domain admins:x:3000004: > > The numbers in the '3000000' range are 'xidNumbers' and are only found > on Samba AD DCs and unless you sync idmap.ldb between Samba DCs, you > will get different IDs on different DC's > > Rowland > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >