samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
>
>> I do what windows does, it ignores the RID (what you call 'the last
set
> of digits from SID') and uses a builtin mechanism to store the next uid
&
> gidNumber.

The builtin users/groups use the RID for the GID/UID.


If you create a user and then goto to the UNIX_Attributes tab in
ADUC,
> firstly you will find a 'uidNumber' is assigned to your user (if it
is the
> first user, this will be 10000) and when you add the attributes, you will
> then find in the users object in AD that the following attributes will have
> been added:
>
> uid
> msSFU30Name
> msSFU30NisDomain
> uidNumber
> gidNumber
> loginShell
> unixHomeDirectory
>
Do you have to go back and add these values to the buildin groups/users
like "Domain Admins"?

> unixUserPassword: ABCD!efgh12345$67890  <-- the password is always this,
> unless password sync is installed and it doesn't (yet) exist on S4
>
You are saying this exact string is the same no matter what?   What's it
used for then?


> Unfortunately, these attributes do not exist as standard, so you would
> either have to add a user with ADUC or manually add them yourselves with
> ldbedit. As standard on windows, they both start at '10000', though
you can
> set them to whatever you require, just make sure that they do not interfere
> with any local Unix users.

Quite alot of this stuff isn't standard, nor documented.  It is incredibly
frustrating to deploy Samba 4 in a mixed windows/*nix envir.

Greg

On 01/12/14 16:31, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>> wrote:
>
>
>     I do what windows does, it ignores the RID (what you call 'the
>     last set of digits from SID') and uses a builtin mechanism to
>     store the next uid & gidNumber.
>
>
> The builtin users/groups use the RID for the GID/UID.
Well, yes and no, on the samba4 AD DC they get mapped in idmap.ldb
>
>
>     If you create a user and then goto to the UNIX_Attributes tab in
>     ADUC, firstly you will find a 'uidNumber' is assigned to your
user
>     (if it is the first user, this will be 10000) and when you add the
>     attributes, you will then find in the users object in AD that the
>     following attributes will have been added:
>
>
>     uid
>     msSFU30Name
>     msSFU30NisDomain
>     uidNumber
>     gidNumber
>     loginShell
>     unixHomeDirectory
>
>
> Do you have to go back and add these values to the buildin 
> groups/users like "Domain Admins"?
>
>     unixUserPassword: ABCD!efgh12345$67890  <-- the password is always
>     this, unless password sync is installed and it doesn't (yet) exist
>     on S4
>
>
> You are saying this exact string is the same no matter what?   What's 
> it used for then?
>
With a windows AD DC you can install software that will sync the windows 
users password with the unixUserPassword attribute, this can then be 
used by Unix programs, I personally don't know anybody that uses it, but 
it is there.
>     Unfortunately, these attributes do not exist as standard, so you
>     would either have to add a user with ADUC or manually add them
>     yourselves with ldbedit. As standard on windows, they both start
>     at '10000', though you can set them to whatever you require,
just
>     make sure that they do not interfere with any local Unix users.
>
>
> Quite alot of this stuff isn't standard, nor documented.  It is 
> incredibly frustrating to deploy Samba 4 in a mixed windows/*nix envir.
>
Perhaps it would have been better if I had said 'these attributes do not 
exist as standard on a samba4 AD DC', they are standard on a windows AD 
DC with 'server for NIS' installed. Samba just decided not to use them.

I did hope that that 4.2 would make using S4 AD DC with Unix users 
easier, but this will not happen until winbindd pulls all the RFC2307 
attributes.

Rowland
> Greg

On 01/12/14 17:31, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny <rowlandpenny at
googlemail.com>
> wrote:
>
>>
>>> I do what windows does, it ignores the RID (what you call 'the
last set
>> of digits from SID') and uses a builtin mechanism to store the next
uid &
>> gidNumber.
>
>
> The builtin users/groups use the RID for the GID/UID.
Not in any domain we've ever seen. The RID of BUILTIN\Admins is 300000?

On 01/12/14 17:54, Rowland Penny wrote:
> On 01/12/14 16:31, Greg Zartman wrote:
>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>> wrote:
>>
>>
>>     I do what windows does, it ignores the RID (what you call 'the
>>     last set of digits from SID') and uses a builtin mechanism to
>>     store the next uid & gidNumber.
>>
>>
>> The builtin users/groups use the RID for the GID/UID.
>
> Well, yes and no, on the samba4 AD DC they get mapped in idmap.ldb
No. Never yes.

On 01/12/14 17:09, steve wrote:
> On 01/12/14 17:31, Greg Zartman wrote:
>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny 
>> <rowlandpenny at googlemail.com>
>> wrote:
>>
>>>
>>>> I do what windows does, it ignores the RID (what you call
'the last
>>>> set
>>> of digits from SID') and uses a builtin mechanism to store the
next
>>> uid &
>>> gidNumber.
>>
>>
>> The builtin users/groups use the RID for the GID/UID.
>
> Not in any domain we've ever seen. The RID of BUILTIN\Admins is 300000?
>
>
No its not, 300000 is the xidNumber of BUILTIN\Admins :-)

Rowland

On Mon, Dec 1, 2014 at 9:09 AM, steve <steve at steve-ss.com> wrote:
>
> Not in any domain we've ever seen. The RID of BUILTIN\Admins is 300000?

Where are you seeing this in the Samba 4 active directory?

I don't have my development box in front of me, but the
"Administrator"
account is showing with an ID = 514 or similar.  It's something in the low
500s.

Greg