On Mon, 20 Feb 2017 12:40:00 +0000 Rowland Penny via samba <samba at lists.samba.org> wrote:> Well it would, Domain Users seems to have the gidNuber '513' and this > is lower than your lower domain setting '4000' >I am beginning to wonder if upgrading an NT4-style PDC to a DC is a good idea. Linux starts its normal user base at '1000' (and yes, red-hat used to start at 500) and it has been like this for a long time. Samba allowed Domain user & group RIDs to be used for u/gidNumbers, this was a stupid idea in my opinion. 'Domain Users' is 513 'Domain Admins' is 512 So we now have the problem that a user is trying to setup a 'idmap config' line in smb.conf on a domain member, he is going to have to use something like this: idmap config DOMAIN: range = 500-999999 Which means that he cannot have any local Unix users at all, so what happens if something goes wrong with Samba on that domain member and root login is disabled except at the console and the console isn't easily accessible ? Should we be recommending setting up a new domain instead of upgrading the old PDC, or changing any low u/gidNumbers ??? or what ??? Rowland
On Mon, 2017-02-20 at 13:30 +0000, Rowland Penny via samba wrote:> On Mon, 20 Feb 2017 12:40:00 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > Well it would, Domain Users seems to have the gidNuber '513' and > > this > > is lower than your lower domain setting '4000' > > > > I am beginning to wonder if upgrading an NT4-style PDC to a DC is a > good idea. > > Linux starts its normal user base at '1000' (and yes, red-hat used to > start at 500) and it has been like this for a long time. Samba > allowed > Domain user & group RIDs to be used for u/gidNumbers, this was a > stupid > idea in my opinion. > > 'Domain Users' is 513 > 'Domain Admins' is 512 > > So we now have the problem that a user is trying to setup a 'idmap > config' line in smb.conf on a domain member, he is going to have to > use something like this: > > idmap config DOMAIN: range = 500-999999 > > Which means that he cannot have any local Unix users at all, so what > happens if something goes wrong with Samba on that domain member and > root login is disabled except at the console and the console isn't > easily accessible ? > > Should we be recommending setting up a new domain instead of > upgrading > the old PDC, or changing any low u/gidNumbers ??? or what ???RID values are not converted directly to UID or GID values in the way you suppose. I think there is some confusion between the uidNumber / gidNumber and the user's RID (in objectSID) / primaryGroupID here. Andrew Bartlett
On Thu, 23 Feb 2017 12:13:34 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> > RID values are not converted directly to UID or GID values in the way > you suppose.I don't suppose that at all> > I think there is some confusion between the uidNumber / gidNumber and > the user's RID (in objectSID) / primaryGroupID here.No, I think you are getting confused. What I was referring to was that in the past, on a PDC, users were using the RID from Domain Users as its gidNumber and the users RID as their uidNumber. This is now leading to having to use a line such as: idmap config DOMAIN : range = 500-999999 My personal opinion, this a BAD idea. Rowland