samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

On 01/12/14 17:16, steve wrote:
> On 01/12/14 18:11, Rowland Penny wrote:
>> On 01/12/14 17:09, steve wrote:
>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>> <rowlandpenny at googlemail.com>
>>>> wrote:
>>>>
>>>>>
>>>>>> I do what windows does, it ignores the RID (what you
call 'the last
>>>>>> set
>>>>> of digits from SID') and uses a builtin mechanism to
store the next
>>>>> uid &
>>>>> gidNumber.
>>>>
>>>>
>>>> The builtin users/groups use the RID for the GID/UID.
>>>
>>> Not in any domain we've ever seen. The RID of BUILTIN\Admins is
300000?
>>>
>>>
>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>
>> Rowland
>>
> English please. Notice the question mark after the last '0';)
I thought I was speaking (well typing) English :-D

Lets put it this way, samba4 gets the RID for Administrators 
(S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this 
in idmap.ldb.

Does that answer all questions ??????

Rowland

On 01/12/14 18:25, Rowland Penny wrote:
> On 01/12/14 17:16, steve wrote:
>> On 01/12/14 18:11, Rowland Penny wrote:
>>> On 01/12/14 17:09, steve wrote:
>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>> <rowlandpenny at googlemail.com>
>>>>> wrote:
>>>>>
>>>>>>
>>>>>>> I do what windows does, it ignores the RID (what
you call 'the last
>>>>>>> set
>>>>>> of digits from SID') and uses a builtin mechanism
to store the next
>>>>>> uid &
>>>>>> gidNumber.
>>>>>
>>>>>

Take this dangerously incorrect fact:
>>>>> The builtin users/groups use the RID for the GID/UID.
No.

>>>>
>>>> Not in any domain we've ever seen. The RID of
BUILTIN\Admins is 300000?
>>>>
>>>>
>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>
>>> Rowland
>>>
>> English please. Notice the question mark after the last '0';)
>
> I thought I was speaking (well typing) English :-D
>
> Lets put it this way, samba4 gets the RID for Administrators
> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
> in idmap.ldb.
>
> Does that answer all questions ??????
>
> Rowland

On 01/12/14 17:46, steve wrote:
> On 01/12/14 18:25, Rowland Penny wrote:
>> On 01/12/14 17:16, steve wrote:
>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>> On 01/12/14 17:09, steve wrote:
>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>> I do what windows does, it ignores the RID
(what you call 'the
>>>>>>>> last
>>>>>>>> set
>>>>>>> of digits from SID') and uses a builtin
mechanism to store the next
>>>>>>> uid &
>>>>>>> gidNumber.
>>>>>>
>>>>>>
>
>
> Take this dangerously incorrect fact:
>>>>>> The builtin users/groups use the RID for the GID/UID.
> No.
>
>
>>>>>
>>>>> Not in any domain we've ever seen. The RID of
BUILTIN\Admins is
>>>>> 300000?
>>>>>
>>>>>
>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>
>>>> Rowland
>>>>
>>> English please. Notice the question mark after the last
'0';)
>>
>> I thought I was speaking (well typing) English :-D
>>
>> Lets put it this way, samba4 gets the RID for Administrators
>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
>> in idmap.ldb.
>>
>> Does that answer all questions ??????
>>
>> Rowland
>
>
In the context of the OP's statement, he was sort of correct, the 
builtin user/group RID's are used to get to the ID numbers.

Take Administrators for example:

RID 'S-1-5-32-544'
Winbind gets this, it is meaningless on Unix, so it gets mapped to an 
xidNumber '3000000'

This xidnumber is used as the groups gidNumber

The xidNumber is stored in idmap.ldb

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

If you run 'getfacl /var/lib/samba/sysvol/' , you get this:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Now what part of the above is wrong ??

Rowland

On Mon, Dec 1, 2014 at 9:25 AM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
>
> I thought I was speaking (well typing) English :-D
>
> Lets put it this way, samba4 gets the RID for Administrators
> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this in
> idmap.ldb.
>
> Does that answer all questions ??????

No.  How do you read this UID from the Active Directory?  I'm using the
perl Net::LDAP module to interact with the active directory, and xidNumber
is not in the schema for a newly provisioned domain with postix extensions
enabled.

Greg

On 01/12/14 19:08, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 9:25 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>> wrote:
>
>
>     I thought I was speaking (well typing) English :-D
>
>     Lets put it this way, samba4 gets the RID for Administrators
>     (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all
>     this in idmap.ldb.
>
>     Does that answer all questions ??????
>
>
> No.  How do you read this UID from the Active Directory?  I'm using 
> the perl Net::LDAP module to interact with the active directory, and 
> xidNumber is not in the schema for a newly provisioned domain with 
> postix extensions enabled.
>
> Greg
>
>
I don't think that you need to read the builtin users/groups, the only 
time that they really come to be used by Unix is on the sysvol share and 
winbind sorts this out by use of idmap.ldb.

If you do need to use a windows user or group on Unix, then give them a 
'uidNumber' or 'gidNumber' (just don't do this to
'Administrator')

Rowland