Convert Unix GID into Samba SID

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Convert Unix GID into Samba SID

Samba - General mailing list
Hi,

It is time I migrate from Samba 3.6 to Samba 4.

But the classicupdate fails because there is no group defined for my
LDAP users. Well, users have a group, but it is a Unix only group. I
never bothered to do any group mapping between Unix and Samba 3, I never
needed it.

I found out, a long long time ago that the relationship between UID and
SID is SID=2*UID+1000.

I am not sure of what I should do? Now.

Add and SID in my groups in LDAP? If so, how to calculate the SID?

Do some mapping?

Thanks for the help in advance,

Olivier
--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Convert Unix GID into Samba SID

Samba - General mailing list
On Mon, 04 Dec 2017 14:17:09 +0700
Olivier via samba <[hidden email]> wrote:

> Hi,
>
> It is time I migrate from Samba 3.6 to Samba 4.
>
> But the classicupdate fails because there is no group defined for my
> LDAP users. Well, users have a group, but it is a Unix only group. I
> never bothered to do any group mapping between Unix and Samba 3, I
> never needed it.
>
> I found out, a long long time ago that the relationship between UID
> and SID is SID=2*UID+1000.
>
> I am not sure of what I should do? Now.
>
> Add and SID in my groups in LDAP? If so, how to calculate the SID?

You could add the group to AD and map it to the Linux group and
depending on how your smb.conf is set up, it may get its own RID. Note
it is 'RID' not 'SID', the 'SID' is the the first part of the long ID
that starts with 'S-1-5-21', the 'RID' is the last part of this ID. An
example SID-RID is S-1-5-21-1768301897-3342589593-1064908849-3601, the
'S-1-5-21-1768301897-3342589593-1064908849' identifies the domain and
'3601' is the unique number that identifies the object.

The very fact that you think 'SID=2*UID+1000' is still valid, probably
means that you have RIDs like 513 and 3010 in ldap. Time has shown that
using such low numbers wasn't a good idea.

It may be better to start with a new AD domain, rather than upgrading
your old NT4-style domain.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba