I agree with the mangling assessment. 1. I will ask about the xid, for information only 2. I like Synolgy's UI. If I could strip that out and put it on some flavor of Linux, I would. There was a decent cockpit ui samba plugin, but it's not working at the moment, and zentyal won't join the domain and they aren't responsive to bugs. Maybe since I'm quasi retired now, I'll start my own UI project. 3. Are these ids only used for sysvol? We only have 3 gpos and no roaming, so I could just recreate those by hand. Peter On October 7, 2022 9:10:04 AM PDT, Rowland Penny via samba <samba at lists.samba.org> wrote:> > >On 07/10/2022 14:45, Peter Carlson via samba wrote: >> Here is that entry: it in fact has an invalid xidNumber. >> >> # record 69 >> dn: CN=S-1-5-32-544 >> cn: S-1-5-32-544 >> objectClass: sidMap >> objectSid: S-1-5-32-544 >> type: ID_TYPE_GID >> xidNumber: 3208642592 >> distinguishedName: CN=S-1-5-32-544 >> >> The other entries appear to be ok.? Would it help for me to send the whole file? >> >> # record 70 >> dn: CN=S-1-5-21-185628584-2620904409-2800336372-1115 >> cn: S-1-5-21-185628584-2620904409-2800336372-1115 >> objectClass: sidMap >> objectSid: S-1-5-21-185628584-2620904409-2800336372-1115 >> type: ID_TYPE_UID >> xidNumber: 3030385755 >> distinguishedName: CN=S-1-5-21-185628584-2620904409-2800336372-1115 >> >> Why might this one entry be off?? In fact looking into all of the entries, all of my xids are in the 10 digit range and not 7 digit range 3######### >> > >This is probably down to one word 'Synology'. They take the Samba code and 'improve' it (I call it mangling), this is probably one of their 'improvements'. > >Do you have a contract with Synology ? If you do, you could ask them why you are getting xidNumbers in the '3000000000' range instead of the expected Samba '3000000' range ? You could also ask them how you join Samba as another AD DC to their version of AD DC. > >The other thing you could try, do not use the idmap.lbd from the synology device, use the one that the join created, the one that you backed up. > >Rowland > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
On 07/10/2022 17:33, Peter Carlson via samba wrote:> I agree with the mangling assessment. > > 1. I will ask about the xid, for information only > 2. I like Synolgy's UI. If I could strip that out and put it on some flavor of Linux, I would. There was a decent cockpit ui samba plugin, but it's not working at the moment, and zentyal won't join the domain and they aren't responsive to bugs. Maybe since I'm quasi retired now, I'll start my own UI project. > 3. Are these ids only used for sysvol? We only have 3 gpos and no roaming, so I could just recreate those by hand. >'xidNumber' attributes are only used on a Samba DC and are stored in idmap.ldb If 'idmap_ldb:use rfc2307 = yes' is set in a DC's smb.conf, the 'xidNumber' attributes can and will be overridden by any 'uidNumber' & 'gidNumber' attributes set in AD. There is a problem with this, the 'xidNumber' attributes are a bit special, they can be set as 'ID_TYPE_UID', 'ID_TYPE_GID' or 'ID_TYPE_BOTH', the last one is the special one as it makes a group be a user as well as a group. Why does a group have to be a user ? Well, Windows has the concept of groups owning things (something that Linux doesn't) and at least one group (Domain Admins) needs to own thing in Sysvol, if you give the Well Know Sid groups a gidNumber attribute, they just become groups to Linux and cannot own anything. The cockpit Samba DC module was produced as a Google summer of code under the Samba banner, any idea why it no longer works ? Rowland