Jacob Seeley wrote:> Hello,
> My question revolves around 'User Private Groups'. I noticed my AD
users UID's do not have matching GID's. I came across the following:
>
>
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2596644
>
> This seems to indicate I cannot implement UPG because Windows will not
allow user and groups of the same name.
>
> From an administrative point of view, how do I handle this? Should I be
concerned about this? How will a non UPG setup be different for us Linux users
who are accustomed to having private groups? Essentially, I'm trying to
avoid any unforeseen pitfalls as a result of not having UPGs.
>
----
Well one pitfall I can think of -- is on the linux side.
i.e. on Windows, you an put both users and groups in 'groups', and I
think
samba supports such nesting (needs enabling). But then lets say you use
the idmap_rid -- How would you specify group-nesting as separate from
the user?
FWIW , I allocate the groupid's w/users, but I alter the groupnames
for the ones I care to have working with any reliability.
I try to setup my groups to mirror the wingroups, though ran
into some problems with domain groups <=512...
But a snippet from my passwd file:
rsvd_Domain Users_g:x:513:513:Group-Reserved:/var/lib/nobody:/bin/nologin
rsvd_Domain Guests_g:x:514:514:Group-Reserved:/var/lib/nobody:/bin/nologin
rsvd_Domain Computers_g:x:515:515:Group-Reserved:/var/lib/nobody:/bin/bash
rsvd_Domain Controllers_g:x:516:516:Group-Reserved:/var/lib/nobody:/bin/bash
---
I do have the numbers reserved in both files so they line up.
I'm not happy with several limitations in the standard samba setup.. like
artificially limiting rids to >512 (which, means I'd have
to move groups/users as I'm using 'idmap_nss'. But would
something similar work for you -- suffixes or prefixes?
But I also don't like that samba doesn't list back
its well-known groups - as those are often only well-known if they
you have a windows server.
Dumping out my non-domain, "well known groups" (and a few
domain groups at the end for comparison. The number
in the middle is the unix GID...Note -- most of those
are not used anywhere and I put them in as reference,
and I noted a few inconsistencies...oh well...
Need 128 bit user numbers!... ;-)
(net groups list -- massaged;
S-1-0 : 10100 - Null Authority
S-1-1 : 10101 - World Authority
S-1-2 : 10102 - Local Authority
S-1-3 : 10103 - Creator Authority
S-1-4 : 10104 - Non-unique Authority
S-1-5 : 10105 - NT Authority
S-1-0-0 : 11000 - Nobody
S-1-1-0 : 11100 - Everyone
S-1-3-0 : 11300 - Creator Owner
S-1-3-1 : 11301 - Creator Group
S-1-3-2 : 11302 - Creator Owner Server
S-1-5-1 : 11501 - Dialup
S-1-5-2 : 11502 - Network
S-1-5-3 : 11503 - Batch
S-1-5-4 : 11504 - Interactive
S-1-5-6 : 11506 - Service
S-1-5-7 : 11507 - Anonymous
S-1-5-8 : 11508 - Proxy
S-1-5-9 : 11509 - Enterprise Domain Controllers
S-1-5-10 : 11510 - Principal Self
S-1-5-11 : 11511 - Authenticated Users
S-1-5-12 : 11512 - Restricted Code
S-1-5-13 : 11513 - TSUsersGroup
S-1-5-19 : 11519 - Local Service
S-1-5-20 : 11520 - Network Service
S-1-16-4096 : 11604096 - Low Mandatory Level
S-1-16-8192 : 11608192 - Medium Mandatory Level
S-1-16-8448 : 11608448 - Medium Plus Mandatory Level
S-1-16-12288 : 11612288 - High Mandatory Level
S-1-16-16384 : 11616384 - System Mandatory Level
S-1-5-32-516 : 516 - Domain Controllers
S-1-5-32-544 : 544 - Administrators
S-1-5-32-545 : 545 - Users
S-1-5-32-546 : 546 - Guests
S-1-5-32-547 : 547 - Power Users
S-1-5-32-548 : 548 - Account Operators
S-1-5-32-549 : 549 - Server Operators
S-1-5-32-550 : 550 - Print Operators
S-1-5-32-551 : 551 - Backup Operators
S-1-5-32-552 : 552 - Replicators
S-1-5-21-1-2-3-512 : 512 - Domain Admins
S-1-5-21-1-2-3-513 : 513 - Domain Users
S-1-5-21-1-2-3-514 : 514 - Domain Guests
S-1-5-21-1-2-3-515 : 515 - Domain Computers