[Samba] Winbind troubles

steve steve at steve-ss.com
Tue Jul 23 09:47:16 MDT 2013

On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote:
> On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote:
> > Could this be yet another reason to use sssd instead of winbind?
> > 
> > sssd does use the account gidNumber
> > 
> > testuser
> > 
> > primaryGroupID: 513
> > uidNumber: 3001106
> > gidNumber: 20513
> > 
> > getent passwd testuser
> > testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash
> > 
> > 
> Not what I said. The primaryGroupID is an identifier for a group in AD,
> bit like a SID is (I don't get that either). So primaryGroupID 513 might
> refer to a group called sambausers, which has a it's own set of
> RFC2307bis attributes which include a gidNumber. Winbind uses the
> gidNumber of the primaryGroupID, not the primaryGroupID itself which is
> something entirely different.

I'd put good money on this working as both group and primary group:
getent group Domain\ Users
Domain Users:*:20513:
 ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users
# record 1
dn: CN=Domain Users,CN=Users,DC=hh3,DC=site
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20130605151145.0Z
uSNCreated: 3541
name: Domain Users
objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b
objectSid: S-1-5-21-451355595-2219208293-2714859210-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site
gidNumber: 20513
whenChanged: 20130605152357.0Z
objectClass: top
objectClass: posixGroup
objectClass: group
uSNChanged: 3792
distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site

There are problems in setting primaryGroupID to groups other than Domain
Users using S4 but as I understand it, the primary group will determine
the default group of the file ownership when a user creates a file. He
could be in many groups but files created by default will be of group of
the primary group.

> As such your example does not show what you think it does show because
> you have not shown the gidNumber of the group identified by
> primaryGroupID 513. I would say even if sssd uses the gidNumber of the
> user it would in my opinion be good practice to keep the gidNumber of
> the user the same as the gidNumber of the Windows primary group.
> Sometimes my mind boggles at just how much people don't understand AD
> and Samba in the Linux/Unix world.
> JAB.
> -- 
> Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
> Fife, United Kingdom.

More information about the samba mailing list