Samba4: ID mapping is hard

steve steve at
Sun Mar 25 01:44:59 MDT 2012

El 23/03/12 23:03, Andrew Bartlett escribió:
> On Sun, 2012-03-18 at 08:19 +0100, steve wrote:
>> Hi
>> There seems to be a discrepancy in the s4 schema concerning security groups.
>> Domain Users comes with gidNumber: 100. This is however contrary to what
>> the schema allows. You can show this as follows:
> Steve,
> Domain Users does not hold that attribute.  There is an idmapping in
> idmap.ldb for this value, but it is not placed in the directory by
> default.
> As you mention here, you could add it if you want to:
>> Create a new group. samba-tool group add mygroup.
>> Use phpldapadmin to add the gidNumber attribute.
>> There is an error because gidNumber is provided by the posixGroup class
>> and that objectclass is not present by default.
>> No problem. We add objectClass: posixGroup and then we can add
>> gidNumber: xxx just fine.
>> This however throws up another error in that mygroup is now not a
>> security group but a posix group and the ability to view and manipulate
>> group members is not available in Active Directory Computers and Users
>> (ADCU). We made the folllowing observations:
>> 1. The members tabs are missing from mygroup properties in ADCU
>> 2. you can still use samba-tool group addmembers to manipulate the groups
>> 3. you can still select and change primary group for a user in ADCU
>> 4. you can add users to the group under phpldapadmin but the users who
>> are already members are not displayed. An error is however correctly
>> displayed if you try to add a user who is already a member.
>> 5. You can still manipulate the posixGroup as if it were a security
>> group, set acl's and permissions etc from the security tab of a file or
>> folder.
>> 6. You can use a big hammer to add attributes that you should not be
>> able to add. e.g. you can add gidNumber without the objectClass (which
>> supplies gidNumber) being present using ldapmodify or ldbmodify.
>> 7. posixAccount and its associated attributes work exactly as advertised
>> in the schema.
>> Conclusion:
>> This is simply an inconvenience. Everything works as expected except
>> being able to view the members that are in a group either in ADCU or
>> phpldapadmin _after_ you have added objectClass: posixGroup to it.
>> Why does adding the posixGroup Class knock out the ability to be able to
>> view group membership? Is this an error in the posixGroup schema?  Is it
>> an aim that s4 be an _exact_ replacement for m$ AD?
>> Is this the schema that is used?
> We use the exact schema Microsoft uses, provided to us by Microsoft as
> part of the WSPP documentation.
>> from: MS-AD_Schema_2K8_R2_Classes, under
>> /usr/local/samba/share/setup/ad-schema
>> cn: PosixAccount
>> ldapDisplayName: posixAccount
> ...
>> There are full details of what we have tried with screenshots in the
>> latter part of this bugzilla:
>> Please let us know if there is anything we can test.
>> Cheers,
>> Steve
>> (Could someone fwd to samba-tecnical?)
> Why can't you raise this on samba-technical yourself?
> If our behaviour differs from Microsoft's behaviour, then please raise
> this as a bug.  I haven't seen any reference to a difference in
> behaviour that we could address.
There is already a bugzilla which confirms that s4 does not handle the 
posixGroup attribute correctly. Adding the attribute on a ms 2008 server 
works correctly.

Please see:
comment 43 onwards.


More information about the samba-technical mailing list