samba - Mar 2019 - uidNumber=RID allowed or not recommended?

Hi,

the samba documentation concerning the migration of a Samba NT4 domain
to AD
(https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade))
mentions in section "Important Notes":

It used to be thought that using Windows RIDs for Unix IDs was
acceptable, time has proven otherwise.

But unfortunately no reasoning is given. I am wondering why this is not
recommended.

We are currently planning such a migration. Unfortunately we have to set
the uidNumber=RID for all users. Currently around half the users have
this setting based on LDAP. This is required so that a third party
application will work after the migration. This third party application
is samba aware but when using Samba NT4 style domains the application
uses the uidnumber for internal identification and when using AD style
domains the RID is used. The migration will therefore screw the internal
identification of the users when migrating.
We did not encounter any problems with those users currently using
uidNumber=RID and would like to modify the other users as well.
I am aware of the fact, that we need to adapt the local privileges on
the Samba fileservers as well.

Any hints or ideas are welcome.

Kind regards,
Ralf

On Fri, 1 Mar 2019 13:05:35 +0100
"Ralf Spenneberg \(Samba\) via samba" <samba at lists.samba.org>
wrote:
> Hi,
> 
> the samba documentation concerning the migration of a Samba NT4 domain
> to AD
>
(https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade))
> mentions in section "Important Notes":
> 
> It used to be thought that using Windows RIDs for Unix IDs was
> acceptable, time has proven otherwise.
> 
> But unfortunately no reasoning is given. I am wondering why this is
> not recommended.
OK, in the past it used to be standard practise to use the RID as the
uidNumber or gidNumber, normal user or group RID's start at '1000',
but
the Well known SID's start at '500'. One of the Well Known SID's
is
'S-1-5-21-domain-513', this is Domain Users and is the users primary
group. For a user to be known to Unix, the user must have a uidNumber
and their primary group must have a gidNumber, also these *idNumbers
must contain a number that is inside the range set in the 'idmap
config' line in smb.conf. So if you use the RID's for the *idNumbers,
you will need a line like this:

idmap config DOMAIN : range = 500-100000

Which leads to a problem, any normal Unix users will be ignored, you
will have to put the default domain above the 'DOMAIN' domain and if
you set the 'DOMAIN' upper range too low, what happens if you reach this
limit and cannot raise it because it would overlap the default domain ?
> 
> We are currently planning such a migration. Unfortunately we have to
> set the uidNumber=RID for all users. Currently around half the users
> have this setting based on LDAP. This is required so that a third
> party application will work after the migration. This third party
> application is samba aware but when using Samba NT4 style domains the
> application uses the uidnumber for internal identification and when
> using AD style domains the RID is used. The migration will therefore
> screw the internal identification of the users when migrating.
> We did not encounter any problems with those users currently using
> uidNumber=RID and would like to modify the other users as well.
> I am aware of the fact, that we need to adapt the local privileges on
> the Samba fileservers as well.
> 
Looks like you are dammed if you do and dammed if you don't.

Is there anyway to update the ID's on NT4-style domains ? probably not,
but if you could it would be a good idea.

It might help if you read this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

Rowland
> Any hints or ideas are welcome.
> 
> Kind regards,
> Ralf
>