RFC2307 on a Samba DC - HowTo

Giuseppe Ragusa giuseppe.ragusa at hotmail.com
Sun May 18 15:56:18 MDT 2014


On Sun May 18 15:13:44 MDT 2014, Rowland Penny wrote:
> On 18/05/14 21:09, Giuseppe Ragusa wrote:
> > Hi,
> >
> > On Sun May 18 13:43:50 MDT 2014, Rowland Penny wrote:
> > > On 18/05/14 19:38, Giuseppe Ragusa wrote:
> > > >> Hello,
> > > >>
> > > >> I've finished a new HowTo this week (please proofread):
> > > >>
> > > >> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
> > > >>
> > > >>
> > > >> Regards,
> > > >> Marc
> > > > Hi,
> > > >
> > > > Looks good to me, but I wonder if the long standing quirk of ignoring
> > > > the "primary Group ID" RFC2307 attribute and honouring Windows-side
> > > > group settings for primary group too is still in effect and
> > > > must be someway described in the wiki page (it affected Winbind for
> > > > sure, never tested SSSD).
> > >
> > > Now I could be acting stupid here by asking this, but what "primary
> > > group ID" RFC2307 attribute are you referring to?
> > >
> > > The 'primaryGroupID'  attribute is a windows attribute and has nothing
> > > to do with Unix, you need to use the 'gidNumber' attribute.
> > >
> > > Rowland
> >
> > Exactly: I was referring to the gidNumber stored together with 
> > uidNumber (etc.) as user POSIX attributes.
> >
> > Sorry for the confusion / improper reference.
> >
> > Regards,
> > Giuseppe
> >
> > > > I think (and reported about two years ago on this list) that up to
> > > > Samba 3.5.0 the behavior was different (primary group taken from
> > > > POSIX attributes in RFC2307 fields), but changed afterwards and could
> > > > be the culprit behind:
> > > >
> > > > https://bugzilla.samba.org/show_bug.cgi?id=8694
> > > >
> > > > https://bugzilla.samba.org/show_bug.cgi?id=7582
> > > >
> > > > https://bugzilla.samba.org/show_bug.cgi?id=8905
> > > >
> > > > I even started an (aborted, unfortunately) effort at adding back the
> > > > former behavior through a configuration option (totally rewritten 
> > id mapping
> > > > plugin structure made the relevant information "unavailable where 
> > needed"
> > > > and would so require a substantial development work beyond my 
> > possibilities atm).
> > > >
> > > > Regards,
> > > > Giuseppe
> > > >
> >
> I think that what you hitting here is that idmap.ldb maps Domain Users 
> to xidnumber '100' and this number is usually beneath the range set in 
> smb.conf and therefore never gets pulled by winbind and if the users 
> group doesn't get pulled, then neither does the user. Setting a 
> gidNumber on Domain users that is inside the range will cure the problem.
> 
> There was some talk about giving the windows 'well know SIDs' a fixed id 
> number, IMHO this cannot come soon enough.
> 
> Rowland

Hi,

I don't know if with "xidnumber" you refer to an internal Samba mapping, but 100 seems to be an awful choice of a gid mapping since I recall Linux distros giving gid 100 to common local user groups like "users" (maybe it was some time ago and newer distros obey the rule "uid/gid > 500" or even higher).

Anyway in my emails of two years ago I stated that my use case for the aforementioned restoring of previous behavior was on large AD installations with Windows primary group left at its "Domain Users" default value and powers-that-be not wanting to touch that all important group in any way (I know that the simple adding of a gidNumber is innocuous, but I'm not in a position to argue...).

Anyway, many thanks for your suggestion: I will check idmap.ldb and maybe I will try to modify that, if you think that forcing it inside the range will allow the user to have it's own RFC2307 gidNumber effective afterwards.

Regards,
Giuseppe

 		 	   		  


More information about the samba-technical mailing list