I am contributing to, and running an open source web application that, in large parts, existed before my time. The application adds LDAP entries for web application users to a local LDAP instance to give these users file system access via Samba.
In all working examples I know of the sambaSID value stored in LDAP is configured to be calculated by the pattern
$LOCALSID "-" ($UIDNUMBER * 2 + 1000)
Example: for a user with uid 1002 the sambaSID will be something like S-1-5-21-1234567890-5678912345-987654321 - 3004 [spaces added for readability].
I am curious of why this is necessary. Where do these magic numbers 2 and 1000 come from, are they necessary, and if so, why?
Searching around, I found this PDF which is unrelated to our application and explains exactly this procedure:
5. Setting up user sambaSIDs
When creating users for the external LDAP, you need to pay special attention to their sambaSIDs.
Correct Samba entries for a user look like the following example:
uidNumber: 1001
sambaSID: S-1-5-21-2896602268-470177729-4123194723-3002
gidNumber: 1000sambaPrimaryGroupSID: S-1-5-21-2896602268-470177729-4123194723-3001
As you can see, there is a 4-digit number appended to the regular sambaSID (which is taken from the WORKGROUP example above). This is generated in the following manner:
sambaSID: uidNumber * 2 + 1000
sambaPrimaryGroupSID: gidNumber * 2 + 1001These entries must always match and conform to the schema above – otherwise the user will not be able to connect via SMB.
So it does not seem to be the case that these numbers are chosen arbitrarily. However, in our examples, unlike in the PDF cited, I find that the sambaPrimaryGroupSID does not undergo any artithmetics, its value for group 100 (users) it is just appended, like S-1-5-21-1234567890-5678912345-987654321 - 100, which is different from the explainations in the PDF cited above. However, the Samba access works properly with it, too, so I wonder how reliable the source I found is.
What are those magic numbers ‘2’ and ‘1000’ come from? Are they necessary or useful for anything?
I was searching for the same thing, and found this link.
There it is explained that the multiplication with 2 is to make sure user-secure-IDs and group-secure-IDs do not overlap. (The latter always being odd).
About the +1000, numbers below 1000 are reserved for special Windows groups, just as in Linux quite a lot of smaller group-numbers are reserved. Regular Windows users get numbers starting with 1000.