On 04/11/2020 00:14, O'Connor, Daniel wrote:> Hmm, you say 'uidNumber' but I have xidNumber: > # editing 1 records > # record 1 > dn: CN=S-1-5-21-1638907138-195301586-368347949-3088 > cn: S-1-5-21-1638907138-195301586-368347949-3088 > objectClass: sidMap > objectSid: S-1-5-21-1638907138-195301586-368347949-3088 > type: ID_TYPE_BOTH > xidNumber: 1044 > distinguishedName: CN=S-1-5-21-1638907138-195301586-368347949-3088You are looking in the wrong database ? 'xidNumber'? attributes are only used on an AD DC and found in idmap.ldb, you should be looking in sam.ldb If you want your users to have the same ID everywhere, you must add a unique uidNumber attribute to each user that you want to be visible on Unix, you must also give the Domain Users group a gidNumber attribute. These will override the 'xidNumber' attributes on the DC and you must use the winbind 'ad' backend on Unix domain members. Rowland
> On 4 Nov 2020, at 20:19, Rowland penny via samba <samba at lists.samba.org> wrote: > > On 04/11/2020 00:14, O'Connor, Daniel wrote: >> Hmm, you say 'uidNumber' but I have xidNumber: >> # editing 1 records >> # record 1 >> dn: CN=S-1-5-21-1638907138-195301586-368347949-3088 >> cn: S-1-5-21-1638907138-195301586-368347949-3088 >> objectClass: sidMap >> objectSid: S-1-5-21-1638907138-195301586-368347949-3088 >> type: ID_TYPE_BOTH >> xidNumber: 1044 >> distinguishedName: CN=S-1-5-21-1638907138-195301586-368347949-3088 > > You are looking in the wrong database ? > > 'xidNumber' attributes are only used on an AD DC and found in idmap.ldb, you should be looking in sam.ldbThis is an AD DC though (it is also the file server)> If you want your users to have the same ID everywhere, you must add a unique uidNumber attribute to each user that you want to be visible on Unix, you must also give the Domain Users group a gidNumber attribute. These will override the 'xidNumber' attributes on the DC and you must use the winbind 'ad' backend on Unix domain members.This is only a very small office so I'm trying to avoid having a second install just for the AD DC. -- Daniel O'Connor "The nice thing about standards is that there are so many of them to choose from." -- Andrew Tanenbaum
On 2020-11-04 23:14, O'Connor, Daniel via samba wrote:> >> On 4 Nov 2020, at 20:19, Rowland penny via samba <samba at lists.samba.org> wrote: >> >> On 04/11/2020 00:14, O'Connor, Daniel wrote: >>> Hmm, you say 'uidNumber' but I have xidNumber: >>> # editing 1 records >>> # record 1 >>> dn: CN=S-1-5-21-1638907138-195301586-368347949-3088 >>> cn: S-1-5-21-1638907138-195301586-368347949-3088 >>> objectClass: sidMap >>> objectSid: S-1-5-21-1638907138-195301586-368347949-3088 >>> type: ID_TYPE_BOTH >>> xidNumber: 1044 >>> distinguishedName: CN=S-1-5-21-1638907138-195301586-368347949-3088 >> You are looking in the wrong database ? >> >> 'xidNumber' attributes are only used on an AD DC and found in idmap.ldb, you should be looking in sam.ldb > This is an AD DC though (it is also the file server) > >> If you want your users to have the same ID everywhere, you must add a unique uidNumber attribute to each user that you want to be visible on Unix, you must also give the Domain Users group a gidNumber attribute. These will override the 'xidNumber' attributes on the DC and you must use the winbind 'ad' backend on Unix domain members. > This is only a very small office so I'm trying to avoid having a second install just for the AD DC. > > -- > Daniel O'Connor > "The nice thing about standards is that there > are so many of them to choose from." > -- Andrew Tanenbaum >Hi Daniel, May I suggest that you setup a virtual machine somewhere in the network with just the AD DC and FSMO roles? A 20GB VM with Debian 10 is more than sufficient. Also, the operating requirements are really tiny. I have setup a couple of small domains like that, using RSAT for administration (shares, GPOs). Works like a charm. Both the domains are similar, a bunch of Windows 10 Pro workstations, and a common Samba file server (domain member). Best regards, Peter