RFC2307 on a Samba DC - HowTo

Rowland Penny repenny241155 at gmail.com
Sun May 18 15:13:44 MDT 2014 

On 18/05/14 21:09, Giuseppe Ragusa wrote:
> Hi,
>
> On Sun May 18 13:43:50 MDT 2014, Rowland Penny wrote:
> > On 18/05/14 19:38, Giuseppe Ragusa wrote:
> > >> Hello,
> > >>
> > >> I've finished a new HowTo this week (please proofread):
> > >>
> > >> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
> > >>
> > >>
> > >> Regards,
> > >> Marc
> > > Hi,
> > >
> > > Looks good to me, but I wonder if the long standing quirk of ignoring
> > > the "primary Group ID" RFC2307 attribute and honouring Windows-side
> > > group settings for primary group too is still in effect and
> > > must be someway described in the wiki page (it affected Winbind for
> > > sure, never tested SSSD).
> >
> > Now I could be acting stupid here by asking this, but what "primary
> > group ID" RFC2307 attribute are you referring to?
> >
> > The 'primaryGroupID'  attribute is a windows attribute and has nothing
> > to do with Unix, you need to use the 'gidNumber' attribute.
> >
> > Rowland
>
> Exactly: I was referring to the gidNumber stored together with 
> uidNumber (etc.) as user POSIX attributes.
>
> Sorry for the confusion / improper reference.
>
> Regards,
> Giuseppe
>
> > > I think (and reported about two years ago on this list) that up to
> > > Samba 3.5.0 the behavior was different (primary group taken from
> > > POSIX attributes in RFC2307 fields), but changed afterwards and could
> > > be the culprit behind:
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=8694
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=7582
> > >
> > > https://bugzilla.samba.org/show_bug.cgi?id=8905
> > >
> > > I even started an (aborted, unfortunately) effort at adding back the
> > > former behavior through a configuration option (totally rewritten 
> id mapping
> > > plugin structure made the relevant information "unavailable where 
> needed"
> > > and would so require a substantial development work beyond my 
> possibilities atm).
> > >
> > > Regards,
> > > Giuseppe
> > >
>
I think that what you hitting here is that idmap.ldb maps Domain Users 
to xidnumber '100' and this number is usually beneath the range set in 
smb.conf and therefore never gets pulled by winbind and if the users 
group doesn't get pulled, then neither does the user. Setting a 
gidNumber on Domain users that is inside the range will cure the problem.

There was some talk about giving the windows 'well know SIDs' a fixed id 
number, IMHO this cannot come soon enough.

Rowland

More information about the samba-technical mailing list