samba - Mar 2009 - gidNumber's and ldap backed samba PDC

In the planning process for migrating from NT4 PDC, and external ldap
directory to samba 3.2.8 PDC. The external existing openldap directory is
used currently to support the local uid mapping for the Linux logins and
samba file servers that are members of the current NT4 PDC.

While looking at the existing openldap UIDs and GIDs in use and what the
samba PDC wants to use I see some uid/gid collisions.  For example I see
that the Domain Admins uses gid 512, just so happens to be the same as a
file system group(in the ldap directory).

Is it better to change the users group gid and leave the samba domain admins
and such the way they are? 

I suspect a small shell script can crawl the file system and replace one gid
for another if I were to change the users GID.

Thanks
	Derek

On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller
wrote:
> In the planning process for migrating from NT4 PDC, and external ldap
> directory to samba 3.2.8 PDC. The external existing openldap directory is
> used currently to support the local uid mapping for the Linux logins and
> samba file servers that are members of the current NT4 PDC.
> While looking at the existing openldap UIDs and GIDs in use and what the
> samba PDC wants to use I see some uid/gid collisions.  For example I see
> that the Domain Admins uses gid 512, just so happens to be the same as a
> file system group(in the ldap directory).
No, it doesn't.  RID != GID.  A RID is a component of the SID and SIDs
are mapped to UIDs & GIDs.
> Is it better to change the users group gid and leave the samba domain
admins
> and such the way they are? 
Not necessary.
> I suspect a small shell script can crawl the file system and replace one
gid
> for another if I were to change the users GID.

Ok I see it appears that the ldap entries that samba needs in the directory
are under a different O. ou=groups,o=smb,dc=unav,dc=es for example.
dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins 

Where my user/file system groups would be under traditional ldap entries
like:
dn: cn=usrgrp,ou=Group,dc=ct,dc=unav,dc=es
objectClass: posixGroup
objectClass: top
cn: usrgrp
userPassword:: e2NyexB0fX9ggidNumber: 512
creatorsName: cn=Manager, dc=ct,dc=unav,dc=es
createTimestamp: 20021007160601Z
modifiersName: cn=Manager,dc=ct,dc=unav,dc=es
modifyTimestamp: 20081205192619Z

This right?

Thanks
	Derek

-----Original Message-----
From: samba-bounces+dwerthmu=ctg.albany.edu@lists.samba.org
[mailto:samba-bounces+dwerthmu=ctg.albany.edu@lists.samba.org] On Behalf Of
Adam Tauno Williams
Sent: Tuesday, March 24, 2009 1:38 PM
To: 'samba@lists.samba.org'
Subject: Re: [Samba] gidNumber's and ldap backed samba PDC

On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller
wrote:
> In the planning process for migrating from NT4 PDC, and external ldap 
> directory to samba 3.2.8 PDC. The external existing openldap directory 
> is used currently to support the local uid mapping for the Linux 
> logins and samba file servers that are members of the current NT4 PDC.
> While looking at the existing openldap UIDs and GIDs in use and what 
> the samba PDC wants to use I see some uid/gid collisions.  For example 
> I see that the Domain Admins uses gid 512, just so happens to be the 
> same as a file system group(in the ldap directory).
No, it doesn't.  RID != GID.  A RID is a component of the SID and SIDs are
mapped to UIDs & GIDs.
> Is it better to change the users group gid and leave the samba domain 
> admins and such the way they are?
Not necessary.
> I suspect a small shell script can crawl the file system and replace 
> one gid for another if I were to change the users GID.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba