De Leeuw Guy escreveu:
Hi all
Hi
I try to transform our old workgroup to a domain. I read a lot of doc about that and smb-ldap tools. I cannot use smb-ldap tools because I have a running ldap database with our unix accounts.
Well, I think that you can continue to have it the way it is and use smbldap-tools with higher ids.
I build my own script to update our database. Questions : - For the admin account I modify the uid=admin, uidNumber=1033 and gid=512 to secure the server root account. (no homeDirectory and loginShell). It is correct ?
I don't understood very well what you have done, but yes, a user without a valid loginShell cannot log in the system.
- For the accounts : Administrators, Account Operators, Print Operators, Backup Operators et Replicators which are the correct SID ? S-1-5-32-544 or a form like S-1-5-21-374813769-5580279-1681509432-544 ?
smbldap-tools creates them in the S-1-5-32-XXX form. But really only a few accounts are expected to be seen by domain clients in a samba domain with the right RID making any difference.
See: http://samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html#WKURIDS
- For the sambaSID users I use the localSID + uidNumber it is ok ? - For the sambaSid groups unix (each user have this own group) I use localsid + uidNumber + 1000 The primaryGroupSID are needed ? if yes which ? - For hosts I use localsid + uidNumber + 2000 ok ? Could you help me to clarify that ?
Smbldap-tools used to create RIDs in a odd/even algorithmic fashion, never clashing. Posix accounts have separate allocation spaces but in Windows accounts share the same RID space and users/groups cannot clash. Your accounts will probably start to clash after 1000 created user accounts (as uids/gids are not reused).
primaryGroupSID is normally "Domain Users".
Thanks in advance Guy
Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
