samba - Jan 2015 - Is there any problem that can arise from remapping gidNumber?

On 01/13/2015 10:41 AM, Rowland Penny wrote:
> On 13/01/15 15:11, John Lewis wrote:
>> On 01/13/2015 09:23 AM, Rowland Penny wrote:
>>> On 13/01/15 14:06, John Lewis wrote:
>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote:
>>>>> On 13/01/15 11:33, John Lewis wrote:
>>>>>> This morning I remapped gidNumber from primaryGroupID
to gidNumber. I
>>>>>> did that because I could not change the integer in
primaryGroupID wit
>>>>>> ldbedt as root.
>>>>>>
>>>>>> I mapped to to a new attribute called gidNumber which
has no specific
>>>>>> meaning in samba. Is there any potential problems that
can arise from
>>>>>> doing that. Is there a better way to fix that problem?
>>>>>>
>>>>> Hmm, definitely going to need more info here, gidNumber has
a specific
>>>>> meaning to samba, depending on how you set up samba.
>>>>>     Rowland
>>>>>
>>>> I took the defaults except for rfc2307 which I enabled. I am
running
>>>> Samba Version 4.1.11-Debian.
>>> Yes, but what as ?? an AD DC or in classic mode i.e. just like
samba3
>>> Might be best if you post your smb.conf (sanitised )
>>>
>>> Rowland
>> I attached it to this email.
>>
>>
> 
> OK, so you are running samba4 as an AD DC, gidNumber definitely means
> something and if you want to change a users primarygroup, you need to do
> something like this:
> 
> First give the group that you want to be the new primarygroup a
> gidNumber (told you it means something)
> next, make sure the user is  a member of this group, if not, add user to
> group
> get the groups RID
> change the users primaryGroupID attribute to the groups RID
> AD will do the rest
> 
> Rowland
> 
What attribute is the group's RID?

On 01/13/2015 11:10 AM, John Lewis wrote:
> On 01/13/2015 10:41 AM, Rowland Penny wrote:
>> On 13/01/15 15:11, John Lewis wrote:
>>> On 01/13/2015 09:23 AM, Rowland Penny wrote:
>>>> On 13/01/15 14:06, John Lewis wrote:
>>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote:
>>>>>> On 13/01/15 11:33, John Lewis wrote:
>>>>>>> This morning I remapped gidNumber from
primaryGroupID to gidNumber. I
>>>>>>> did that because I could not change the integer in
primaryGroupID wit
>>>>>>> ldbedt as root.
>>>>>>>
>>>>>>> I mapped to to a new attribute called gidNumber
which has no specific
>>>>>>> meaning in samba. Is there any potential problems
that can arise from
>>>>>>> doing that. Is there a better way to fix that
problem?
>>>>>>>
>>>>>> Hmm, definitely going to need more info here, gidNumber
has a specific
>>>>>> meaning to samba, depending on how you set up samba.
>>>>>>     Rowland
>>>>>>
>>>>> I took the defaults except for rfc2307 which I enabled. I
am running
>>>>> Samba Version 4.1.11-Debian.
>>>> Yes, but what as ?? an AD DC or in classic mode i.e. just like
samba3
>>>> Might be best if you post your smb.conf (sanitised )
>>>>
>>>> Rowland
>>> I attached it to this email.
>>>
>>>
>>
>> OK, so you are running samba4 as an AD DC, gidNumber definitely means
>> something and if you want to change a users primarygroup, you need to
do
>> something like this:
>>
>> First give the group that you want to be the new primarygroup a
>> gidNumber (told you it means something)
>> next, make sure the user is  a member of this group, if not, add user
to
>> group
>> get the groups RID
>> change the users primaryGroupID attribute to the groups RID
>> AD will do the rest
>>
>> Rowland
>>
> 
> What attribute is the group's RID?
> 
> 
I figured out that the RID was the last few numbers on the end of the
objectSid.

How do I change the object Rid so I can change the GID of the group?

On 13/01/15 16:25, John Lewis wrote:
> On 01/13/2015 11:10 AM, John Lewis wrote:
>> On 01/13/2015 10:41 AM, Rowland Penny wrote:
>>> On 13/01/15 15:11, John Lewis wrote:
>>>> On 01/13/2015 09:23 AM, Rowland Penny wrote:
>>>>> On 13/01/15 14:06, John Lewis wrote:
>>>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote:
>>>>>>> On 13/01/15 11:33, John Lewis wrote:
>>>>>>>> This morning I remapped gidNumber from
primaryGroupID to gidNumber. I
>>>>>>>> did that because I could not change the integer
in primaryGroupID wit
>>>>>>>> ldbedt as root.
>>>>>>>>
>>>>>>>> I mapped to to a new attribute called gidNumber
which has no specific
>>>>>>>> meaning in samba. Is there any potential
problems that can arise from
>>>>>>>> doing that. Is there a better way to fix that
problem?
>>>>>>>>
>>>>>>> Hmm, definitely going to need more info here,
gidNumber has a specific
>>>>>>> meaning to samba, depending on how you set up
samba.
>>>>>>>      Rowland
>>>>>>>
>>>>>> I took the defaults except for rfc2307 which I enabled.
I am running
>>>>>> Samba Version 4.1.11-Debian.
>>>>> Yes, but what as ?? an AD DC or in classic mode i.e. just
like samba3
>>>>> Might be best if you post your smb.conf (sanitised )
>>>>>
>>>>> Rowland
>>>> I attached it to this email.
>>>>
>>>>
>>> OK, so you are running samba4 as an AD DC, gidNumber definitely
means
>>> something and if you want to change a users primarygroup, you need
to do
>>> something like this:
>>>
>>> First give the group that you want to be the new primarygroup a
>>> gidNumber (told you it means something)
>>> next, make sure the user is  a member of this group, if not, add
user to
>>> group
>>> get the groups RID
>>> change the users primaryGroupID attribute to the groups RID
>>> AD will do the rest
>>>
>>> Rowland
>>>
>> What attribute is the group's RID?
>>
>>
> I figured out that the RID was the last few numbers on the end of the
> objectSid.
>
> How do I change the object Rid so I can change the GID of the group?
You don't change the RID

Every object in AD has an objectSid attribute, this consists of the the 
domain SID (this is unique to the domain) with the users/groups unique 
RID on the end.
As standard, every users primaryGroupID is set to 513, this is the RID 
for Domain Users, so every users primary group is Domain users, even 
though they do not show as being a member in AD. If you want to change a 
users primary group, you need to add the user to a group, get the 
objectSid of this group and then change the contents of the 
primaryGroupID attribute to this RID.

Having said all that, I think that you may be talking about AD from the 
Linux point of view, if so then that is a different thing all together.

Rowland