[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Thu Nov 12 13:22:56 UTC 2015

2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 11/11/15 06:52, Michael Adam wrote:
>
>> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>>
>>> On 10/11/15 13:42, mathias dufresne wrote:
>>>
>>>> Thank you for this quick answer Louis.
>>>>
>>>> On DC:
>>>>
>>>> On DC I had to add one line to have winbind retrieving uidNumber AD
>>>> field
>>>> rather than having Winbind chosing some random UID for my users.
>>>> This line is:
>>>>
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> as explained in
>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>>
>>>> That's a start.
>>>>
>>>> Unfortunately winbind is still giving my users GID number set to 100,
>>>> which
>>>> is "Domain Users" group, when my users have gidNumber attribute set.
>>>>
>>> unfortunately the contents of the 'gidNumber' attribute is not used for
>>> the
>>> users GID, you need to give 'Domain Users' a gidNumber and this is what
>>> will
>>> be used.
>>>
>> That is not unfortunate, but the right thing to do (imho),
>> because the domain users group (or whatever the primary AD
>> level group is for the user) is what will appear in the access
>> token when the user accesses a file server.
>>
>
> Well, it is unfortunate if you expected it to be used, but yes it is the
> right thing to do.

No more comment. For today :p

>
>
>
>> We can think about making the use of the gidNumber attribute
>> a configurable option (at least for the start in the domain
>> member case with idmap_ad). But again, the right thing to do
>> is use the SID-level primary group for primary gid of the unix
>> user.
>>
>
> You don't actually need the gidNumber, every users primary group is
> 'Domain Users', you can change this, but it is slightly complicated and it
> breaks things on windows.

Seriously Rowland...

First it is not complicated, changing one attribute value for one user or
for all users in AD DB is not something complicated. A bit of LDIF, a bit
of ldbmodify, nothing complex.
But I agree changing pirmaryGroupID value would be dangerous. Dangerous
because of my lack of knowledge about Windows world.
To avoid side effect I would change that value and add a memberOf attribute
to my users for they are still in "Domain Users". Doing that I could use
Winbind to retrieve my AD users on UNIX systems, they would have something
else than 100 as GID and they would be in "Domain Users". Until some users
is not well created by some dude not paid enough to read carefully the doc
or too tired to pay attention. Then to understand what is missing for this
newly-created-user would be fun...

I expect the fact in RFC2307 there is a dedicated attribute to host UNIX
Primary Group ID (namely gidNumber) is to avoid all (and most certainly
more) issues described earlier.

>
>
>
>>
>> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
>>>> users and winbind gives /bin/false on DC. Perhaps that's what it
>>>> expected
>>>> by that tool but I still found that behaviour very confusing.
>>>> Please note I know there is a "template shell" option in smb.conf.
>>>> Unfortunately this option is, I think, to set all shell equal to that
>>>> template, for all users. That's not what we need. If some user in AD
>>>> wants
>>>> to use CSH, this user must have a shell set to /bin/csh (or wherever it
>>>> is
>>>> installed), if some user has to be set to /bin/false, it must be. And
>>>> for
>>>> most of our users they would receive /bin/bash because it is what we
>>>> configure in loginShell by default.
>>>>
>>> You can only use the 'template' lines on the DC, if you need to have
>>> different home dirs or shells, use a member server.
>>>
>> As discussed elsewhere, we should add the feature to use the AD
>> attributes (configurably).  Someone has to find the time to
>> implement the changes.
>>
>
> I think this really needs to be given a bit more priority than it has in
> the past, get this working and you get a good replacement for the now
> defunct SBS server.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>