On 03/11/2020 13:05, O'Connor, Daniel wrote:> >> On 3 Nov 2020, at 23:21, Rowland penny via samba <samba at lists.samba.org> wrote: >> On 03/11/2020 12:17, O'Connor, Daniel wrote: >>> I tried setting uidNumber et al via the active directory editor and samba-ldbedit, however the mapping doesn't seem to change so I am wondering if it ends up stored somewhere else in the AD case. >> Did you give 'Domain Users' a gidNumber ? without this, the uidNumber attributes are ignored. > No, although I just tried it now but it doesn't appear to make a difference. > > I set it via ADUC and checked via samba-ldbedit .. secrets.ldb >If your users have a unique uidNumber attribute and Domain Users has a gidNumber attribute, it should work on a DC, provided that you also have 'idmap_ldb:use rfc2307? = yes' in smb.conf, I keep forgetting that one ? Rowland
> On 4 Nov 2020, at 00:17, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 03/11/2020 13:05, O'Connor, Daniel wrote: >> >>> On 3 Nov 2020, at 23:21, Rowland penny via samba <samba at lists.samba.org> wrote: >>> On 03/11/2020 12:17, O'Connor, Daniel wrote: >>>> I tried setting uidNumber et al via the active directory editor and samba-ldbedit, however the mapping doesn't seem to change so I am wondering if it ends up stored somewhere else in the AD case. >>> Did you give 'Domain Users' a gidNumber ? without this, the uidNumber attributes are ignored. >> No, although I just tried it now but it doesn't appear to make a difference. >> >> I set it via ADUC and checked via samba-ldbedit .. secrets.ldb >> > If your users have a unique uidNumber attribute and Domain Users has a gidNumber attribute, it should work on a DC, provided that you also have 'idmap_ldb:use rfc2307 = yes' in smb.conf, I keep forgetting that one ?Hmm, you say 'uidNumber' but I have xidNumber: # editing 1 records # record 1 dn: CN=S-1-5-21-1638907138-195301586-368347949-3088 cn: S-1-5-21-1638907138-195301586-368347949-3088 objectClass: sidMap objectSid: S-1-5-21-1638907138-195301586-368347949-3088 type: ID_TYPE_BOTH xidNumber: 1044 distinguishedName: CN=S-1-5-21-1638907138-195301586-368347949-3088 -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum
On 04/11/2020 00:14, O'Connor, Daniel wrote:> Hmm, you say 'uidNumber' but I have xidNumber: > # editing 1 records > # record 1 > dn: CN=S-1-5-21-1638907138-195301586-368347949-3088 > cn: S-1-5-21-1638907138-195301586-368347949-3088 > objectClass: sidMap > objectSid: S-1-5-21-1638907138-195301586-368347949-3088 > type: ID_TYPE_BOTH > xidNumber: 1044 > distinguishedName: CN=S-1-5-21-1638907138-195301586-368347949-3088You are looking in the wrong database ? 'xidNumber'? attributes are only used on an AD DC and found in idmap.ldb, you should be looking in sam.ldb If you want your users to have the same ID everywhere, you must add a unique uidNumber attribute to each user that you want to be visible on Unix, you must also give the Domain Users group a gidNumber attribute. These will override the 'xidNumber' attributes on the DC and you must use the winbind 'ad' backend on Unix domain members. Rowland