samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

On 01/12/14 17:46, steve wrote:
> On 01/12/14 18:25, Rowland Penny wrote:
>> On 01/12/14 17:16, steve wrote:
>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>> On 01/12/14 17:09, steve wrote:
>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>> <rowlandpenny at googlemail.com>
>>>>>> wrote:
>>>>>>
>>>>>>>
>>>>>>>> I do what windows does, it ignores the RID
(what you call 'the
>>>>>>>> last
>>>>>>>> set
>>>>>>> of digits from SID') and uses a builtin
mechanism to store the next
>>>>>>> uid &
>>>>>>> gidNumber.
>>>>>>
>>>>>>
>
>
> Take this dangerously incorrect fact:
>>>>>> The builtin users/groups use the RID for the GID/UID.
> No.
>
>
>>>>>
>>>>> Not in any domain we've ever seen. The RID of
BUILTIN\Admins is
>>>>> 300000?
>>>>>
>>>>>
>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>
>>>> Rowland
>>>>
>>> English please. Notice the question mark after the last
'0';)
>>
>> I thought I was speaking (well typing) English :-D
>>
>> Lets put it this way, samba4 gets the RID for Administrators
>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all this
>> in idmap.ldb.
>>
>> Does that answer all questions ??????
>>
>> Rowland
>
>
In the context of the OP's statement, he was sort of correct, the 
builtin user/group RID's are used to get to the ID numbers.

Take Administrators for example:

RID 'S-1-5-32-544'
Winbind gets this, it is meaningless on Unix, so it gets mapped to an 
xidNumber '3000000'

This xidnumber is used as the groups gidNumber

The xidNumber is stored in idmap.ldb

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

If you run 'getfacl /var/lib/samba/sysvol/' , you get this:

getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Now what part of the above is wrong ??

Rowland

On 01/12/14 19:11, Rowland Penny wrote:
> On 01/12/14 17:46, steve wrote:
>> On 01/12/14 18:25, Rowland Penny wrote:
>>> On 01/12/14 17:16, steve wrote:
>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>> On 01/12/14 17:09, steve wrote:
>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>>
>>>>>>>>> I do what windows does, it ignores the RID
(what you call 'the
>>>>>>>>> last
>>>>>>>>> set
>>>>>>>> of digits from SID') and uses a builtin
mechanism to store the next
>>>>>>>> uid &
>>>>>>>> gidNumber.
>>>>>>>
>>>>>>>
>>
>>
>> Take this dangerously incorrect fact:
>>>>>>> The builtin users/groups use the RID for the
GID/UID.
>> No.
>>
>>
>>>>>>
>>>>>> Not in any domain we've ever seen. The RID of
BUILTIN\Admins is
>>>>>> 300000?
>>>>>>
>>>>>>
>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins :-)
>>>>>
>>>>> Rowland
>>>>>
>>>> English please. Notice the question mark after the last
'0';)
>>>
>>> I thought I was speaking (well typing) English :-D
>>>
>>> Lets put it this way, samba4 gets the RID for Administrators
>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores all
this
>>> in idmap.ldb.
>>>
>>> Does that answer all questions ??????
>>>
>>> Rowland
>>
>>
>
> In the context of the OP's statement, he was sort of correct, the
> builtin user/group RID's are used to get to the ID numbers.
>
> Take Administrators for example:
>
> RID 'S-1-5-32-544'
> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
> xidNumber '3000000'
>
> This xidnumber is used as the groups gidNumber
>
> The xidNumber is stored in idmap.ldb
>
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_BOTH
> xidNumber: 3000000
> distinguishedName: CN=S-1-5-32-544
>
> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>
> getfacl: Removing leading '/' from absolute path names
> # file: var/lib/samba/sysvol/
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> Now what part of the above is wrong ??
>
Hi
'...sort of correct' is misleading enough and is to be discouraged. But 
unqualified statements which are incorrect should be banned.
'The builtin users/groups use the RID for the GID/UID.', is incorrect. 
Not only is it incorrect, but it is the opposite of what we would wish 
to achieve, especially with the low uids and gids which would ensue.

Many of us here have wasted enough of our time reading threads on 
mailing lists which are incorrect.

Thank you for the qualification.
> Rowland
>

On 01/12/14 18:23, steve wrote:
> On 01/12/14 19:11, Rowland Penny wrote:
>> On 01/12/14 17:46, steve wrote:
>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>> On 01/12/14 17:16, steve wrote:
>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I do what windows does, it ignores the
RID (what you call 'the
>>>>>>>>>> last
>>>>>>>>>> set
>>>>>>>>> of digits from SID') and uses a builtin
mechanism to store the
>>>>>>>>> next
>>>>>>>>> uid &
>>>>>>>>> gidNumber.
>>>>>>>>
>>>>>>>>
>>>
>>>
>>> Take this dangerously incorrect fact:
>>>>>>>> The builtin users/groups use the RID for the
GID/UID.
>>> No.
>>>
>>>
>>>>>>>
>>>>>>> Not in any domain we've ever seen. The RID of
BUILTIN\Admins is
>>>>>>> 300000?
>>>>>>>
>>>>>>>
>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins
:-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> English please. Notice the question mark after the last
'0';)
>>>>
>>>> I thought I was speaking (well typing) English :-D
>>>>
>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores
all this
>>>> in idmap.ldb.
>>>>
>>>> Does that answer all questions ??????
>>>>
>>>> Rowland
>>>
>>>
>>
>> In the context of the OP's statement, he was sort of correct, the
>> builtin user/group RID's are used to get to the ID numbers.
>>
>> Take Administrators for example:
>>
>> RID 'S-1-5-32-544'
>> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
>> xidNumber '3000000'
>>
>> This xidnumber is used as the groups gidNumber
>>
>> The xidNumber is stored in idmap.ldb
>>
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> Now what part of the above is wrong ??
>>
> Hi
> '...sort of correct' is misleading enough and is to be discouraged.
> But unqualified statements which are incorrect should be banned.
> 'The builtin users/groups use the RID for the GID/UID.', is
incorrect.
> Not only is it incorrect, but it is the opposite of what we would wish 
> to achieve, especially with the low uids and gids which would ensue.
>
> Many of us here have wasted enough of our time reading threads on 
> mailing lists which are incorrect.
>
> Thank you for the qualification.
>
>> Rowland
>>
>
When you put it that way, then yes it was wrong, 'The builtin 
users/groups use the RID for their GID/UID.' would have been better, 
that is, if you can spot the difference :-D

Rowland