[Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???

Andrew Lyon andrew.lyon at gmail.com
Sun Oct 24 09:20:28 MDT 2010 

On Sun, Oct 24, 2010 at 2:46 PM, Andrew Lyon <andrew.lyon at gmail.com> wrote:
>> -----Original Message-----
>> From: Andrew Lyon [mailto:andrew.lyon at gmail.com]
>> Sent: Freitag, 22. Oktober 2010 11:50
>> To: Oliver Weinmann
>> Cc: samba at lists.samba.org
>> Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always domainusers!!!???
>>
>> On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann <oliver.weinmann at vega.de> wrote:
>>> Hi,
>>>
>>> Any news regarding this problem? I have testet samba 3.5.6 and the
>>> problem still persists. I had to downgrade to 3.3 on a few machines now.
>>>
>>> Regards,
>>> Oliver
>>>
>>> -----Original Message-----
>>> From: samba-bounces at lists.samba.org
>>> [mailto:samba-bounces at lists.samba.org] On Behalf Of Oliver Weinmann
>>> Sent: Donnerstag, 9. September 2010 13:13
>>> To: samba at lists.samba.org
>>> Subject: [Samba] Samba-winbind 3.5.4 primary group is always
>>> domainusers!!!???
>>>
>>> Dear All,
>>>
>>> I stepped over a strange issue today. I have one installation of samba
>>> winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of
>>> a user is updated immediately. On a newer samba 3.5.4 installation the
>>> primary group is not updated at all. It always displays "domain users".
>>> Is there a new setting for the smb.conf? Here is my smb.conf:
>>>
>>> [global]
>>>        netbios name = gedail1
>>>        realm = SOMEDOMAIN.NET
>>>        workgroup = SOMEDOMAIN
>>>        security = ADS
>>>        encrypt passwords = true
>>>        password server = server1.somedomain.net server2.somedomain.net
>>>        os level = 20
>>>        idmap backend = ad
>>>        idmap config SOMEDOMAIN : backend = ad
>>>        idmap config SOMEDOMAIN : schema_mode = sfu
>>>        idmap config SOMEDOMAIN : range = 0-99999999
>>>        winbind nss info = sfu
>>>        winbind enum users = yes
>>>        winbind enum groups = yes
>>>        preferred master = no
>>>        winbind nested groups = Yes
>>>        winbind use default domain = Yes
>>>        max log size = 50
>>>        log level = 10
>>>        log file = /var/log/samba/log.%m
>>>        dns proxy = no
>>>        wins server = 172.20.200.18 172.18.200.20
>>>        allow trusted domains = no
>>>        client use spnego = Yes
>>>        use kerberos keytab = true
>>>        winbind refresh tickets = yes
>>>        idmap cache time = 1
>>>        winbind cache time = 1
>>>
>>> It's a W2k3 AD Domain.
>>>
>>> Regards,
>>> Oliver
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>> ______________________________________________________________________
>>> This email has been scanned by the MessageLabs Email Security System.
>>> For more information please visit http://www.messagelabs.com/email
>>> ______________________________________________________________________
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> I've noticed the same with samba 3.5.6, our administrator user has primary group name/gid Domain Admins but the primary group on our linux systems is domain users.
>>
>> I've noticed that searching AD for users with rfc2307/sfu attributes shows the correct gid:
>>
>> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName uidNumber gidNumber -P
>>
>> sAMAccountName: Domain Users
>> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local
>> gidNumber: 10000
>>
>> sAMAccountName: test
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local
>> uidNumber: 10009
>> gidNumber: 10010
>>
>> The gid returned is correct, and if I change it and remove the cache file it updates, so it is definitely being read from AD, but all users have gid domain users:
>>
>>  wbinfo -i test
>> test:*:10009:10000:test:/home/test:/bin/bash
>>
>> Andy
>>
>> ______________________________________________________________________
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email ______________________________________________________________________
>>
> On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann
> <oliver.weinmann at vega.de> wrote:
>>> Good to know that I'm not the only one facing this serious problem. I would really like to know why this is not the case under >>samba 3.3. Currently I have stopped upgrading from 3.3 to 3.5.x because this problem is generating a lot of trouble for us when >>users of different projects create files and they are read/write for all members of domain users. The only way around this is to use >>the SGID on the folder to inherit the project group.
>
> Hi,
>
> I've been looking at this again and found that the primary gid is read
> from the users primary windows group, not the one set in the UNIX
> attributes tab which is added by registering nisprop.dll.
>
> To change the windows primary group go to the "Member Of" tab in ADUC,
> highlight the group and click "Set Primary Group", for example I set
> user test to have domain admins as primary group:
>
> uid=10009(test) gid=10010(domain_admins)
> groups=10010(domain_admins),10000(domain_users)
>
> The Primary group name/GID in UNIX Attributes seems to be unused by
> winbind with sfu/rfc2307.
>
> I have noticed other strange things with the UNIX Attributes tab, for
> example adding a user to a group through the unix attribs tab or
> "member of" tab does not result in the user being listed as a member
> of the group in the Members section of the UNIX Attributes tab when
> viewing the group properties, its as if the unix gids for a given user
> and uid's which are members of a given group are stored seperately.
>
> I'm going to read up on the Microsoft documentation for SFU...
>
> Note that after making changes like this it is necessary to remove
> cache files before the change is reflected, I usually remove all files
> in /var/lib/samba and /var/cache/samba and then rejoin the machine to
> the domain to make sure nothing is cached. It seems strange that this
> is necessary, caching is a good thing but when would changes be
> reflected if the cache files were never removed?
>
> It would be nice to know exactly how this is supposed to work as its
> not completely clear to me if this is a bug or not.
>
> Andy
>

Looks like this is expected behavior
http://readlist.com/lists/lists.samba.org/samba/1/6417.html

The documentation does sort of mention this at
http://wiki.samba.org/index.php/Samba_&_Active_Directory

"You must make sure that the primary group of the Unix users in the AD
is also Unix enabled (with a GID) (A user whose primary group is not
also a Unix group will not show up on Unix at all !) "

But it is not clear from that statement that primary group means
primaryGroupID (windows primary group) NOT gidNumber (rfc2307)

Andy

More information about the samba mailing list