[Samba] smbpasswd backend, group-per-user, and primary gid not a domain group

Frank H fjhenigman at cgl.uwaterloo.ca
Tue Jul 20 00:09:06 GMT 2004


After changing from 2.x to 3.0 I get these messages:

rpc_server/srv_util.c:get_domain_user_groups(376)
get_domain_user_groups: primary gid of user [fred] is not a Domain group !
get_domain_user_groups: You should fix it, NT doesn't like that

I understand why this is: fred's group needs to be mapped like so

net groupmap modify ntgroup="Domain Users" unixgroup=<fred's group>

The problem is this: each user is in a different group (i.e. fred's
initial group, the one mentioned in /etc/passed, is fred) and I can only
map one onto "Domain Users."
I don't want to give up my "group-per-user, umask is always 2" system.
I'm hoping to avoid a more complicated password backend, assuming that
would even help.

My best idea so far is to set everyone's initial group (the one in
/etc/passwd) to "user" mapped to "Domain Users" and also add them
to their personal group.  Then home directories have to be setgid so
files don't end up in group "user."  But it's too easy to lose
setgid bits.  "mkdir /tmp/dir; mv /tmp/dir ~" and files made
in ~/dir are now the wrong group.

My questions are:

Is there a clean solution using the smbpasswd file password backend
and keeping the group-per-user plan?

If I bite the bullet and go to ldapsam or tdbsam does that help?

Do I even need to worry about this?  "NT doesn't like that" sounds
ominous, but everything seems to work.  My clients are mainly W2K
if that matters.

Thanks.


More information about the samba mailing list