[Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)

Rowland Penny rowlandpenny at googlemail.com
Fri Nov 15 13:08:42 MST 2013

On 15/11/13 19:55, Werthmuller, Derek wrote:
> I don't believe that the samba-tool allows you to manage group id's (gid) the same as when you create new users. Like
> samba-tool user add <username> --uid-number=5000 gid-number=5000 home-directory=/exports/users/<usersname> login-shell=/bin/bash
> Would be great if you could do:  /usr/bin/samba-tool  group add <groupname> gid-number=6000
> Have seen references on the net about using ldapmodify to add/modify the gid for a group created via samba-tool
> -bash-4.1$ /usr/bin/samba-tool -V
> 4.1.1-SerNet-RedHat-7.el6S
> bash-4.1$ /usr/bin/samba-tool  group add -h
> Options:
>    -h, --help            show this help message and exit
>    -H URL, --URL=URL     LDB URL for database or target server
>    --groupou=GROUPOU     Alternative location (without domainDN counterpart) to
>                          default CN=Users in which new user object will be
>                          created
>    --group-scope=GROUP_SCOPE
>                          Group scope (Domain | Global | Universal)
>    --group-type=GROUP_TYPE
>                          Group type (Security | Distribution)
>    --description=DESCRIPTION
>                          Group's description
>    --mail-address=MAIL_ADDRESS
>                          Group's email address
>    --notes=NOTES         Groups's notes
>    Samba Common Options:
>      -s FILE, --configfile=FILE
>                          Configuration file
>      -d DEBUGLEVEL, --debuglevel=DEBUGLEVEL
>                          debug level
>      --option=OPTION     set smb.conf option from command line
>      --realm=REALM       set the realm name
>    Credentials Options:
>      --simple-bind-dn=DN
>                          DN to use for a simple bind
>      --password=PASSWORD
>                          Password
>      -U USERNAME, --username=USERNAME
>                          Username
>      -W WORKGROUP, --workgroup=WORKGROUP
>                          Workgroup
>      -N, --no-pass       Don't ask for a password
>      -k KERBEROS, --kerberos=KERBEROS
>                          Use Kerberos
>      --ipaddress=IPADDRESS
>                          IP address of server
>    Version Options:
>      -V, --version       Display version number
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of steve
> Sent: Monday, October 28, 2013 2:39 AM
> To: samba at lists.samba.org
> Subject: Re: [Samba] samba-tool group add omits RFC2307 attributes (4.0.9 as AD DC)
> On Mon, 2013-10-28 at 10:55 +1100, Trent W. Buck wrote:
>> After a classicupgrade, I noticed some users and many groups were
>> missing from samba4, that had been in samba3's LDAP.
>> "No problem," I thought.  "I'll just 'samba-tool group add' them."
>> Except that groups created that was don't have things like gidNumber
>> and
>> objectClass: posixGroup, which means that nss_ldapd can't see them.
>> Can I tell samba-tool to manage RFC2307 attributes as well as AD
>> attributes?
> Not with 4.0.9. You need 4.1 to be able to do that with samba-tool. With
> 4.1:
> samba-tool group create --help
> will get you a list of rfc2307 syntax.
>>   I can't find anything relevant in smb.conf(5) manpage.
>> I wouldn't even care about this, but nss_winbind sees fewer accounts
>> than wbinfo which in turn sees fewer accounts than samba-tool!  So I
>> gave up and fell back to nss-ldapd, thinking I was saved -- but now it
>> seems workaround only works for classicupgraded accounts, not new ones.
> classicupgrade accounts that had gidNumber will retain it. New groups do not have the gidNumber added. You can easily add it yourself using ldbmodify immediately after the group is created. For the Samba4 schema, you do not need to add the posixGroup class.
>> I also thought about telling nslcd.conf to turn the SIDs into posix
>> UIDs and GIDs on its own, but I can't see how to do that.  The AD
>> schema appears to store objectSid as a binary attr.  I'm not even sure
>> how to dump the ad schema as I would have examined cn=config in OpenLDAP.
> There is a copy of the schema at:
> YOURSAMBADIR/share/setup/ad-schema
> If you want everything to just work, I'd suggest sssd v1.10 or newer which has a very good AD backend for stuff like you want.
> Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Hi, a guy called Stephane Purnelle has proposed a patch for samba-tool 
to do this, but I keep objecting to it because it also adds the 
posixGroup objectClass, windows never adds this, so I think that 
samba-tool shouldn't either, no one from the devs ever responds.


More information about the samba mailing list