Jacob Seeley wrote: > Hello, > My question revolves around 'User Private Groups'. I noticed my AD users > UID's do not have matching GID's. I came across the following: > > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#id2596644 > > This seems to indicate I cannot implement UPG because Windows will not allow > user and groups of the same name. > > From an administrative point of view, how do I handle this? Should I be > concerned about this? How will a non UPG setup be different for us Linux > users who are accustomed to having private groups? Essentially, I'm trying to > avoid any unforeseen pitfalls as a result of not having UPGs. > ---- Well one pitfall I can think of -- is on the linux side. i.e. on Windows, you an put both users and groups in 'groups', and I think samba supports such nesting (needs enabling). But then lets say you use the idmap_rid -- How would you specify group-nesting as separate from the user?
FWIW , I allocate the groupid's w/users, but I alter the groupnames for the ones I care to have working with any reliability. I try to setup my groups to mirror the wingroups, though ran into some problems with domain groups <=512... But a snippet from my passwd file: rsvd_Domain Users_g:x:513:513:Group-Reserved:/var/lib/nobody:/bin/nologin rsvd_Domain Guests_g:x:514:514:Group-Reserved:/var/lib/nobody:/bin/nologin rsvd_Domain Computers_g:x:515:515:Group-Reserved:/var/lib/nobody:/bin/bash rsvd_Domain Controllers_g:x:516:516:Group-Reserved:/var/lib/nobody:/bin/bash --- I do have the numbers reserved in both files so they line up. I'm not happy with several limitations in the standard samba setup.. like artificially limiting rids to >512 (which, means I'd have to move groups/users as I'm using 'idmap_nss'. But would something similar work for you -- suffixes or prefixes? But I also don't like that samba doesn't list back its well-known groups - as those are often only well-known if they you have a windows server. Dumping out my non-domain, "well known groups" (and a few domain groups at the end for comparison. The number in the middle is the unix GID...Note -- most of those are not used anywhere and I put them in as reference, and I noted a few inconsistencies...oh well... Need 128 bit user numbers!... ;-) (net groups list -- massaged; S-1-0 : 10100 - Null Authority S-1-1 : 10101 - World Authority S-1-2 : 10102 - Local Authority S-1-3 : 10103 - Creator Authority S-1-4 : 10104 - Non-unique Authority S-1-5 : 10105 - NT Authority S-1-0-0 : 11000 - Nobody S-1-1-0 : 11100 - Everyone S-1-3-0 : 11300 - Creator Owner S-1-3-1 : 11301 - Creator Group S-1-3-2 : 11302 - Creator Owner Server S-1-5-1 : 11501 - Dialup S-1-5-2 : 11502 - Network S-1-5-3 : 11503 - Batch S-1-5-4 : 11504 - Interactive S-1-5-6 : 11506 - Service S-1-5-7 : 11507 - Anonymous S-1-5-8 : 11508 - Proxy S-1-5-9 : 11509 - Enterprise Domain Controllers S-1-5-10 : 11510 - Principal Self S-1-5-11 : 11511 - Authenticated Users S-1-5-12 : 11512 - Restricted Code S-1-5-13 : 11513 - TSUsersGroup S-1-5-19 : 11519 - Local Service S-1-5-20 : 11520 - Network Service S-1-16-4096 : 11604096 - Low Mandatory Level S-1-16-8192 : 11608192 - Medium Mandatory Level S-1-16-8448 : 11608448 - Medium Plus Mandatory Level S-1-16-12288 : 11612288 - High Mandatory Level S-1-16-16384 : 11616384 - System Mandatory Level S-1-5-32-516 : 516 - Domain Controllers S-1-5-32-544 : 544 - Administrators S-1-5-32-545 : 545 - Users S-1-5-32-546 : 546 - Guests S-1-5-32-547 : 547 - Power Users S-1-5-32-548 : 548 - Account Operators S-1-5-32-549 : 549 - Server Operators S-1-5-32-550 : 550 - Print Operators S-1-5-32-551 : 551 - Backup Operators S-1-5-32-552 : 552 - Replicators S-1-5-21-1-2-3-512 : 512 - Domain Admins S-1-5-21-1-2-3-513 : 513 - Domain Users S-1-5-21-1-2-3-514 : 514 - Domain Guests S-1-5-21-1-2-3-515 : 515 - Domain Computers -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba