samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

On 01/12/14 18:23, steve wrote:
> On 01/12/14 19:11, Rowland Penny wrote:
>> On 01/12/14 17:46, steve wrote:
>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>> On 01/12/14 17:16, steve wrote:
>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland Penny
>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>> I do what windows does, it ignores the
RID (what you call 'the
>>>>>>>>>> last
>>>>>>>>>> set
>>>>>>>>> of digits from SID') and uses a builtin
mechanism to store the
>>>>>>>>> next
>>>>>>>>> uid &
>>>>>>>>> gidNumber.
>>>>>>>>
>>>>>>>>
>>>
>>>
>>> Take this dangerously incorrect fact:
>>>>>>>> The builtin users/groups use the RID for the
GID/UID.
>>> No.
>>>
>>>
>>>>>>>
>>>>>>> Not in any domain we've ever seen. The RID of
BUILTIN\Admins is
>>>>>>> 300000?
>>>>>>>
>>>>>>>
>>>>>> No its not, 300000 is the xidNumber of BUILTIN\Admins
:-)
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>> English please. Notice the question mark after the last
'0';)
>>>>
>>>> I thought I was speaking (well typing) English :-D
>>>>
>>>> Lets put it this way, samba4 gets the RID for Administrators
>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and stores
all this
>>>> in idmap.ldb.
>>>>
>>>> Does that answer all questions ??????
>>>>
>>>> Rowland
>>>
>>>
>>
>> In the context of the OP's statement, he was sort of correct, the
>> builtin user/group RID's are used to get to the ID numbers.
>>
>> Take Administrators for example:
>>
>> RID 'S-1-5-32-544'
>> Winbind gets this, it is meaningless on Unix, so it gets mapped to an
>> xidNumber '3000000'
>>
>> This xidnumber is used as the groups gidNumber
>>
>> The xidNumber is stored in idmap.ldb
>>
>> dn: CN=S-1-5-32-544
>> cn: S-1-5-32-544
>> objectClass: sidMap
>> objectSid: S-1-5-32-544
>> type: ID_TYPE_BOTH
>> xidNumber: 3000000
>> distinguishedName: CN=S-1-5-32-544
>>
>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>
>> getfacl: Removing leading '/' from absolute path names
>> # file: var/lib/samba/sysvol/
>> # owner: root
>> # group: 3000000
>> user::rwx
>> user:root:rwx
>> group::rwx
>> group:3000000:rwx
>> group:3000001:r-x
>> group:3000002:rwx
>> group:3000003:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:group::---
>> default:group:3000000:rwx
>> default:group:3000001:r-x
>> default:group:3000002:rwx
>> default:group:3000003:r-x
>> default:mask::rwx
>> default:other::---
>>
>> Now what part of the above is wrong ??
>>
> Hi
> '...sort of correct' is misleading enough and is to be discouraged.
> But unqualified statements which are incorrect should be banned.
> 'The builtin users/groups use the RID for the GID/UID.', is
incorrect.
> Not only is it incorrect, but it is the opposite of what we would wish 
> to achieve, especially with the low uids and gids which would ensue.
>
> Many of us here have wasted enough of our time reading threads on 
> mailing lists which are incorrect.
>
> Thank you for the qualification.
>
>> Rowland
>>
>
When you put it that way, then yes it was wrong, 'The builtin 
users/groups use the RID for their GID/UID.' would have been better, 
that is, if you can spot the difference :-D

Rowland

On 01/12/14 19:30, Rowland Penny wrote:
> On 01/12/14 18:23, steve wrote:
>> On 01/12/14 19:11, Rowland Penny wrote:
>>> On 01/12/14 17:46, steve wrote:
>>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>>> On 01/12/14 17:16, steve wrote:
>>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland
Penny
>>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> I do what windows does, it ignores
the RID (what you call 'the
>>>>>>>>>>> last
>>>>>>>>>>> set
>>>>>>>>>> of digits from SID') and uses a
builtin mechanism to store the
>>>>>>>>>> next
>>>>>>>>>> uid &
>>>>>>>>>> gidNumber.
>>>>>>>>>
>>>>>>>>>
>>>>
>>>>
>>>> Take this dangerously incorrect fact:
>>>>>>>>> The builtin users/groups use the RID for
the GID/UID.
>>>> No.
>>>>
>>>>
>>>>>>>>
>>>>>>>> Not in any domain we've ever seen. The RID
of BUILTIN\Admins is
>>>>>>>> 300000?
>>>>>>>>
>>>>>>>>
>>>>>>> No its not, 300000 is the xidNumber of
BUILTIN\Admins :-)
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>> English please. Notice the question mark after the last
'0';)
>>>>>
>>>>> I thought I was speaking (well typing) English :-D
>>>>>
>>>>> Lets put it this way, samba4 gets the RID for
Administrators
>>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and
stores all this
>>>>> in idmap.ldb.
>>>>>
>>>>> Does that answer all questions ??????
>>>>>
>>>>> Rowland
>>>>
>>>>
>>>
>>> In the context of the OP's statement, he was sort of correct,
the
>>> builtin user/group RID's are used to get to the ID numbers.
>>>
>>> Take Administrators for example:
>>>
>>> RID 'S-1-5-32-544'
>>> Winbind gets this, it is meaningless on Unix, so it gets mapped to
an
>>> xidNumber '3000000'
>>>
>>> This xidnumber is used as the groups gidNumber
>>>
>>> The xidNumber is stored in idmap.ldb
>>>
>>> dn: CN=S-1-5-32-544
>>> cn: S-1-5-32-544
>>> objectClass: sidMap
>>> objectSid: S-1-5-32-544
>>> type: ID_TYPE_BOTH
>>> xidNumber: 3000000
>>> distinguishedName: CN=S-1-5-32-544
>>>
>>> If you run 'getfacl /var/lib/samba/sysvol/' , you get this:
>>>
>>> getfacl: Removing leading '/' from absolute path names
>>> # file: var/lib/samba/sysvol/
>>> # owner: root
>>> # group: 3000000
>>> user::rwx
>>> user:root:rwx
>>> group::rwx
>>> group:3000000:rwx
>>> group:3000001:r-x
>>> group:3000002:rwx
>>> group:3000003:r-x
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:3000000:rwx
>>> default:group:3000001:r-x
>>> default:group:3000002:rwx
>>> default:group:3000003:r-x
>>> default:mask::rwx
>>> default:other::---
>>>
>>> Now what part of the above is wrong ??
>>>
>> Hi
>> '...sort of correct' is misleading enough and is to be
discouraged.
>> But unqualified statements which are incorrect should be banned.
>> 'The builtin users/groups use the RID for the GID/UID.', is
incorrect.
>> Not only is it incorrect, but it is the opposite of what we would wish
>> to achieve, especially with the low uids and gids which would ensue.
>>
>> Many of us here have wasted enough of our time reading threads on
>> mailing lists which are incorrect.
>>
>> Thank you for the qualification.
>>
>>> Rowland
>>>
>>
> When you put it that way, then yes it was wrong, 'The builtin
> users/groups use the RID for their GID/UID.' would have been better,
> that is, if you can spot the difference :-D
>
> Rowland
>
Even worse. 'On a DC, the builtin users/groups use a GID/UID which is 
unrelated to their RID' is less misleading. It is unfortunate that they 
vary depending on where you are in a domain.

On 01/12/14 19:16, steve wrote:
> On 01/12/14 19:30, Rowland Penny wrote:
>> On 01/12/14 18:23, steve wrote:
>>> On 01/12/14 19:11, Rowland Penny wrote:
>>>> On 01/12/14 17:46, steve wrote:
>>>>> On 01/12/14 18:25, Rowland Penny wrote:
>>>>>> On 01/12/14 17:16, steve wrote:
>>>>>>> On 01/12/14 18:11, Rowland Penny wrote:
>>>>>>>> On 01/12/14 17:09, steve wrote:
>>>>>>>>> On 01/12/14 17:31, Greg Zartman wrote:
>>>>>>>>>> On Mon, Dec 1, 2014 at 1:33 AM, Rowland
Penny
>>>>>>>>>> <rowlandpenny at googlemail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I do what windows does, it
ignores the RID (what you call 'the
>>>>>>>>>>>> last
>>>>>>>>>>>> set
>>>>>>>>>>> of digits from SID') and uses a
builtin mechanism to store the
>>>>>>>>>>> next
>>>>>>>>>>> uid &
>>>>>>>>>>> gidNumber.
>>>>>>>>>>
>>>>>>>>>>
>>>>>
>>>>>
>>>>> Take this dangerously incorrect fact:
>>>>>>>>>> The builtin users/groups use the RID
for the GID/UID.
>>>>> No.
>>>>>
>>>>>
>>>>>>>>>
>>>>>>>>> Not in any domain we've ever seen. The
RID of BUILTIN\Admins is
>>>>>>>>> 300000?
>>>>>>>>>
>>>>>>>>>
>>>>>>>> No its not, 300000 is the xidNumber of
BUILTIN\Admins :-)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>> English please. Notice the question mark after the
last '0';)
>>>>>>
>>>>>> I thought I was speaking (well typing) English :-D
>>>>>>
>>>>>> Lets put it this way, samba4 gets the RID for
Administrators
>>>>>> (S-1-5-32-544), maps this to the xidNumber 3000000 and
stores all
>>>>>> this
>>>>>> in idmap.ldb.
>>>>>>
>>>>>> Does that answer all questions ??????
>>>>>>
>>>>>> Rowland
>>>>>
>>>>>
>>>>
>>>> In the context of the OP's statement, he was sort of
correct, the
>>>> builtin user/group RID's are used to get to the ID numbers.
>>>>
>>>> Take Administrators for example:
>>>>
>>>> RID 'S-1-5-32-544'
>>>> Winbind gets this, it is meaningless on Unix, so it gets mapped
to an
>>>> xidNumber '3000000'
>>>>
>>>> This xidnumber is used as the groups gidNumber
>>>>
>>>> The xidNumber is stored in idmap.ldb
>>>>
>>>> dn: CN=S-1-5-32-544
>>>> cn: S-1-5-32-544
>>>> objectClass: sidMap
>>>> objectSid: S-1-5-32-544
>>>> type: ID_TYPE_BOTH
>>>> xidNumber: 3000000
>>>> distinguishedName: CN=S-1-5-32-544
>>>>
>>>> If you run 'getfacl /var/lib/samba/sysvol/' , you get
this:
>>>>
>>>> getfacl: Removing leading '/' from absolute path names
>>>> # file: var/lib/samba/sysvol/
>>>> # owner: root
>>>> # group: 3000000
>>>> user::rwx
>>>> user:root:rwx
>>>> group::rwx
>>>> group:3000000:rwx
>>>> group:3000001:r-x
>>>> group:3000002:rwx
>>>> group:3000003:r-x
>>>> mask::rwx
>>>> other::---
>>>> default:user::rwx
>>>> default:user:root:rwx
>>>> default:group::---
>>>> default:group:3000000:rwx
>>>> default:group:3000001:r-x
>>>> default:group:3000002:rwx
>>>> default:group:3000003:r-x
>>>> default:mask::rwx
>>>> default:other::---
>>>>
>>>> Now what part of the above is wrong ??
>>>>
>>> Hi
>>> '...sort of correct' is misleading enough and is to be
discouraged.
>>> But unqualified statements which are incorrect should be banned.
>>> 'The builtin users/groups use the RID for the GID/UID.', is
incorrect.
>>> Not only is it incorrect, but it is the opposite of what we would
wish
>>> to achieve, especially with the low uids and gids which would
ensue.
>>>
>>> Many of us here have wasted enough of our time reading threads on
>>> mailing lists which are incorrect.
>>>
>>> Thank you for the qualification.
>>>
>>>> Rowland
>>>>
>>>
>> When you put it that way, then yes it was wrong, 'The builtin
>> users/groups use the RID for their GID/UID.' would have been
better,
>> that is, if you can spot the difference :-D
>>
>> Rowland
>>
> Even worse. 'On a DC, the builtin users/groups use a GID/UID which is 
> unrelated to their RID' is less misleading. It is unfortunate that 
> they vary depending on where you are in a domain.
Oh please, don't confuse Greg even more than he is now :-D

Rowland