[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)

Werthmuller, Derek dwerthmu at ctg.albany.edu
Fri Nov 15 12:55:17 MST 2013

I don't believe that the samba-tool allows you to manage group id's (gid) the same as when you create new users. Like
samba-tool user add <username> --uid-number=5000 gid-number=5000 home-directory=/exports/users/<usersname> login-shell=/bin/bash

Would be great if you could do:  /usr/bin/samba-tool  group add <groupname> gid-number=6000

Have seen references on the net about using ldapmodify to add/modify the gid for a group created via samba-tool

-bash-4.1$ /usr/bin/samba-tool -V

bash-4.1$ /usr/bin/samba-tool  group add -h

  -h, --help            show this help message and exit
  -H URL, --URL=URL     LDB URL for database or target server
  --groupou=GROUPOU     Alternative location (without domainDN counterpart) to
                        default CN=Users in which new user object will be
                        Group scope (Domain | Global | Universal)
                        Group type (Security | Distribution)
                        Group's description
                        Group's email address
  --notes=NOTES         Groups's notes

  Samba Common Options:
    -s FILE, --configfile=FILE
                        Configuration file
    -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
                        debug level
    --option=OPTION     set smb.conf option from command line
    --realm=REALM       set the realm name

  Credentials Options:
                        DN to use for a simple bind
    -U USERNAME, --username=USERNAME
    -W WORKGROUP, --workgroup=WORKGROUP
    -N, --no-pass       Don't ask for a password
    -k KERBEROS, --kerberos=KERBEROS
                        Use Kerberos
                        IP address of server

  Version Options:
    -V, --version       Display version number

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
Sent: Monday, October 28, 2013 2:39 AM
To: samba at lists.samba.org
Subject: Re: [Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)

On Mon, 2013-10-28 at 10:55 +1100, Trent W. Buck wrote:
> After a classicupgrade, I noticed some users and many groups were 
> missing from samba4, that had been in samba3's LDAP.
> "No problem," I thought.  "I'll just 'samba-tool group add' them."
> Except that groups created that was don't have things like gidNumber 
> and
> objectClass: posixGroup, which means that nss_ldapd can't see them.
> Can I tell samba-tool to manage RFC2307 attributes as well as AD 
> attributes?

Not with 4.0.9. You need 4.1 to be able to do that with samba-tool. With
samba-tool group create --help
will get you a list of rfc2307 syntax.

>  I can't find anything relevant in smb.conf(5) manpage.
> I wouldn't even care about this, but nss_winbind sees fewer accounts 
> than wbinfo which in turn sees fewer accounts than samba-tool!  So I 
> gave up and fell back to nss-ldapd, thinking I was saved -- but now it 
> seems workaround only works for classicupgraded accounts, not new ones.

classicupgrade accounts that had gidNumber will retain it. New groups do not have the gidNumber added. You can easily add it yourself using ldbmodify immediately after the group is created. For the Samba4 schema, you do not need to add the posixGroup class.

> I also thought about telling nslcd.conf to turn the SIDs into posix 
> UIDs and GIDs on its own, but I can't see how to do that.  The AD 
> schema appears to store objectSid as a binary attr.  I'm not even sure 
> how to dump the ad schema as I would have examined cn=config in OpenLDAP.

There is a copy of the schema at:

If you want everything to just work, I'd suggest sssd v1.10 or newer which has a very good AD backend for stuff like you want.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list