On 04/23/2012 03:35 PM, steve wrote:> Hi
> Coming from Linux, I'm struggling my way through this stuff.
>
> e.g. on my domain, the group suseusers has a SID of:
> S-1-5-21-1463437245-1224812800-863842198-1128
>
> Could anyone give me a yes/no/probably/absolutely-ridiculous on any of
> these?
> -User steve has a primaryGroupID: 1128
no you can't see it from the group, you could conclude it if :
* steve is member of this group
* steve has only 1 group membership
>-steve is a member of suseusers
no> -suseusers was the 128'th SID to be allocated
no if you have more than 1 one DC, each DC have a RID pool, one DC can
allocate 2 or 3 RID while the other one can be using already its fourth
or fifth pool.
> -given only the SID above, you could not identify it as a group
yes> -it could equally well have been a user
yes> -or a computer
yes> -1128 is called a RID
yes, well it's 1128> -if I change 1128 to that of another group, steve changes primary
> group to that of the other group
you can't change the SID of an object.> -I only need change the 1128. LDAP does the rest
no, you can't change the SID of a group. What you can do is change the
primary group of the user, you have to specify it. And I think Samba and
Windows require that the user is already member of this group before
setting it as default group, in this case LDAP takes on the job of
updating both memberOf and primaryGroupId for you.> -If I change it to that of a user, LDAP will reject the idea
yes, it should if not it's a bug.> -users begin life with primaryGroupID 513
By default yes, you can still create a user with a primaryGroupID of
anything else I think.>
> I think it's nearly there your patiece.so tia for
> Cheers,
> Steve
--
Matthieu Patou
Samba Team
http://samba.org