samba - Dec 2014 - uidNumber. ( Was: What is --rfc2307-from-nss ??)

On Mon, Dec 1, 2014 at 11:39 AM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
>  I understand where you are coming from, I have written my own scripts to
> maintain an S4 AD DC but as you say the documentation is a bit limited, so
> I had to search and experiment to find out how to do things. The
> documentation is getting better, but it will take time, if you have any
> suggestions where it could be improved, please post them.
>
For starters, what is the xidNumber and how does it relate to uidNumber?

Greg

On 02/12/14 04:31, Greg Zartman wrote:
> On Mon, Dec 1, 2014 at 11:39 AM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at
googlemail.com>> wrote:
>
>     I understand where you are coming from, I have written my own
>     scripts to maintain an S4 AD DC but as you say the documentation
>     is a bit limited, so I had to search and experiment to find out
>     how to do things. The documentation is getting better, but it will
>     take time, if you have any suggestions where it could be improved,
>     please post them.
>
>
> For starters, what is the xidNumber and how does it relate to uidNumber?
>
> Greg
>
>
xidNumbers only exist in idmap.ldb on the AD DC, on Debian this is in 
/var/lib/samba/private, on your self compiled S4, it is probably in 
/usr/local/samba/private.

you can see what is in the .ldb file with:

ldbedit -e nano -H /var/lib/samba/private/idmap.ldb

This is a sample record you will find there:

dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid: S-1-5-32-544
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

The records are created by samba to map users/groups to numbers that 
Unix can understand, these numbers are the ones that you will see if you 
run getent & getfacl etc on the AD DC i.e. ls -la /var/lib/samba/sysvol

total 20
drwxrwx---+ 3 root 3000000 4096 Aug 12 10:40 .
drwxr-xr-x  8 root root    4096 Nov 12 13:37 ..
drwxrwx---+ 4 root 3000000 4096 Aug 12 10:41 example.com

On a windows machine, these numbers are seen as RID's and SID's, but on 
a member server, they get mapped to different numbers.

There is only a connection between xidNumbers and uidNumbers on the AD 
DC and unless you copy idmap.ldb from the first DC to any others, 
different xidNumbers are used for the builtin users.

Hope this helps

Rowland

On Tue, Dec 2, 2014 at 12:25 AM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
>  Hope this helps
>
Yes, that is very helpful.  Thanks,
-- 
Greg J. Zartman
Board Member

Koozali Foundation, Inc.
2755 19th Street SE
Salem, Oregon 97302
Cell:  541-5218449

SME Server user and community member since 2000