[Samba] User management scripts in AD mode...

Rowland Penny rpenny at samba.org
Fri Jun 30 14:14:51 UTC 2017 

On Fri, 30 Jun 2017 15:17:53 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > > I'm again a bit confused... ;-(((
> > Yes I can see that ;-)
> 
> ;-)
> 
> Sorry for the late answer, but i was busy on other things...
> 
> 
> > Hope this helps, but feel free to ask any questions.
> 
> I try to summarize:
> 
> a) as i supposed 'RFC2307 group membership' are totally ignored by
>  samba, so i can use RFC2307 schema to associate UID to users and GID
> to group, but the relation between UID and GID (eg, membership) in
> UNIX are directly derivated by Windows membership only. Good.

Correct

> 
> b) changing ''primary'' windows group from 'Domain Users' to other
>  group are supported only by samba 4.6.0 and newer.

Correct

> 
> c) (Windows) membership are expressed using 'member' in group object
>  (full DN of the users) but also using 'primaryGroupID' in user object
> (RID of the group; for b) above, primaryGroupID is ever '513').
> 
> d) in (Windows) membership, if a user have a primary group, the group
>  does not have the relative full user DN in 'member'; again for b)
> above, group 'Doamin Users' have no 'member' because all users have
> primaryGroupID=513
> 

Every Windows domain users primary group is '513' (this is Domain
Users), but is not shown anywhere else in AD. there are no 'member' or
'memberof' attributes anywhere that refer to members of Domain Users.
It just relies on the 'primaryGroupID' attribute (which if your care to
check, is set to 515 for computers)

> 
> If i'm right, i'have two question:
> 
> 1) a) work also for nested group, right? eg, if i've nested group, the
>  windows<-UNIX mapping of memberships simply ''flatten'' the windows
> membership in UNIX UID?

If you add a group to a group, your Unix users will gain membership of
the parent group, but the parent group must also have a gidNumber to be
used on a Unix machine.

> 
> 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return
>  all the memberships correctly i need to look for 'member' in groups
> and 'primaryGroupID' in users; there's just an LDAP query about that?
> Eg, a query that, given a group name/DN, return all users (as DN or
> UID) that belong to that group?

There is absolutely no need to search for the primaryGroupID of any AD
user, it will always be '513' unless somebody has been stupid enough to
change it, in which case they have broken the windows user.

The easiest way to find out what groups a users is a member of is to
search the users DN for 'memberOf', though this will only show what
Windows groups the user is a member of. If you only want to find and
display the Unix groups, you will then have to check each group a
user is a member of, to see if it has a gidNumber attribute, you
would then have to check if the group is also a member of another group
and then check if this possible other group has a gidNumber and if this
group is also a member of another group and so on. This could get
complicated.

Rowland

More information about the samba mailing list