In Linux on the other hand, as you correctly report, the Posix IDs of users and groups are from separate “namespaces” and you are allowed to use one number as uid and gid at the same time. Users and Groups are identified with SIDs from the same SID pool. In Windows/AD ACLs groups can be the owner of a resource, e.g. Yes, Bug #28999 describes the issue (in german), it’s a potential Windows/Samba vs Linux interop issue. I’d really like some background info on this from one of the Univention people - could shed some light on it? If you encounter problems with having both IDs the same, they’ll likely manifest in file/directory access problems or Windows SIDs not being resolved to user names properly.ĭue to all the uncertainty around this I advice against going down that road. Maybe those problems still stem from the days of Samba 3 and NT-style Windwos domains? In fact, I experimented a bit and used ldbedit to change one xidNumber for a user-type to be the same as another entry’s xidNumber for a group-type - and the server worked fine with that. Therefore multiple entries with the same xidNumber but different type attributes shouldn’t pose a problem in theory. Looking at the schema used by idmap.ldb, it’s clear that entries can differentiate between user and group IDs via the type attribute. I don’t know if those “problems with idmap” are still relevant today. For example, in order to determine the Windows SID for the Linux user mbunkus, I might do this: id mbunkus The ID mapping database is used by Samba to map Windows SIDs to Unix user & group IDs. The closest to an answer I got was this bug which vaguely states that there are “problems with idmap”. I haven’t been able to find a definitive answer either. What implications or issues we shall expect if we manipulate UID/GID via ‘ldapmodify’ based on the Doppelt vergebene UIDs entry we created a script which sets UID=GID.why must UCS force UID and GID to be different? Are there technical restrictions?.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |