[Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???

Andrew Lyon andrew.lyon at gmail.com
Sun Oct 24 09:20:28 MDT 2010

On Sun, Oct 24, 2010 at 2:46 PM, Andrew Lyon <andrew.lyon at gmail.com> wrote:
>> -----Original Message-----
>> From: Andrew Lyon [mailto:andrew.lyon at gmail.com]
>> Sent: Freitag, 22. Oktober 2010 11:50
>> To: Oliver Weinmann
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
>> On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann <oliver.weinmann at vega.de> wrote:
>>> Hi,
>>> Any news regarding this problem? I have testet samba 3.5.6 and the
>>> problem still persists. I had to downgrade to 3.3 on a few machines now.
>>> Regards,
>>> Oliver
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Oliver Weinmann
>>> Sent: Donnerstag, 9. September 2010 13:13
>>> To: samba at lists.samba.org
>>> Subject: [Samba] Samba-winbind 3.5.4 primary group is always
>>> domainusers!!!???
>>> Dear All,
>>> I stepped over a strange issue today. I have one installation of samba
>>> winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of
>>> a user is updated immediately. On a newer samba 3.5.4 installation the
>>> primary group is not updated at all. It always displays "domain users".
>>> Is there a new setting for the smb.conf? Here is my smb.conf:
>>> [global]
>>>        netbios name = gedail1
>>>        realm = SOMEDOMAIN.NET
>>>        workgroup = SOMEDOMAIN
>>>        security = ADS
>>>        encrypt passwords = true
>>>        password server = server1.somedomain.net server2.somedomain.net
>>>        os level = 20
>>>        idmap backend = ad
>>>        idmap config SOMEDOMAIN : backend = ad
>>>        idmap config SOMEDOMAIN : schema_mode = sfu
>>>        idmap config SOMEDOMAIN : range = 0-99999999
>>>        winbind nss info = sfu
>>>        winbind enum users = yes
>>>        winbind enum groups = yes
>>>        preferred master = no
>>>        winbind nested groups = Yes
>>>        winbind use default domain = Yes
>>>        max log size = 50
>>>        log level = 10
>>>        log file = /var/log/samba/log.%m
>>>        dns proxy = no
>>>        wins server =
>>>        allow trusted domains = no
>>>        client use spnego = Yes
>>>        use kerberos keytab = true
>>>        winbind refresh tickets = yes
>>>        idmap cache time = 1
>>>        winbind cache time = 1
>>> It's a W2k3 AD Domain.
>>> Regards,
>>> Oliver
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> ______________________________________________________________________
>>> This email has been scanned by the MessageLabs Email Security System.
>>> For more information please visit http://www.messagelabs.com/email
>>> ______________________________________________________________________
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>> I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users.
>> I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid:
>> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P
>> sAMAccountName: Domain Users
>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local
>> gidNumber: 10000
>> sAMAccountName: test
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local
>> uidNumber: 10009
>> gidNumber: 10010
>> The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users:
>>  wbinfo -i test
>> test:*:10009:10000:test:/home/test:/bin/bash
>> Andy
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
> On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann
> <oliver.weinmann at vega.de> wrote:
>>> Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under >>samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when >>users of different projects create files and they are read/write for all members of domain users. The only way around this is to use >>the SGID on the folder to inherit the project group.
> Hi,
> I've been looking at this again and found that the primary gid is read
> from the users primary windows group, not the one set in the UNIX
> attributes tab which is added by registering nisprop.dll.
> To change the windows primary group go to the "Member Of" tab in ADUC,
> highlight the group and click "Set Primary Group", for example I set
> user test to have domain admins as primary group:
> uid=10009(test) gid=10010(domain_admins)
> groups=10010(domain_admins),10000(domain_users)
> The Primary group name/GID in UNIX Attributes seems to be unused by
> winbind with sfu/rfc2307.
> I have noticed other strange things with the UNIX Attributes tab, for
> example adding a user to a group through the unix attribs tab or
> "member of" tab does not result in the user being listed as a member
> of the group in the Members section of the UNIX Attributes tab when
> viewing the group properties, its as if the unix gids for a given user
> and uid's which are members of a given group are stored seperately.
> I'm going to read up on the Microsoft documentation for SFU...
> Note that after making changes like this it is necessary to remove
> cache files before the change is reflected, I usually remove all files
> in /var/lib/samba and /var/cache/samba and then rejoin the machine to
> the domain to make sure nothing is cached. It seems strange that this
> is necessary, caching is a good thing but when would changes be
> reflected if the cache files were never removed?
> It would be nice to know exactly how this is supposed to work as its
> not completely clear to me if this is a bug or not.
> Andy

Looks like this is expected behavior

The documentation does sort of mention this at

"You must make sure that the primary group of the Unix users in the AD
is also Unix enabled (with a GID) (A user whose primary group is not
also a Unix group will not show up on Unix at all !) "

But it is not clear from that statement that primary group means
primaryGroupID (windows primary group) NOT gidNumber (rfc2307)


More information about the samba mailing list