[Samba] Change primaryGroupID [SOLVED]

Lars Hanke debian at lhanke.de
Sat Oct 25 16:26:57 MDT 2014

Am 25.10.2014 23:28, schrieb Rowland Penny:
> On 25/10/14 22:20, Lars Hanke wrote:
>> Currently, when CIFS users create files these get "Domain Users" as
>> their group. I would appreciate a different group in general and yet
>> another group for some selected users.
>> Googling until my fingers bled I learned that this group is somehow
>> magically encoded in the RID 513 set as primaryGroupID for all users.
>> With Samba3 there used to be commands like 'net groupmap' to list /
>> modify this mapping. But these commands apparently don't work anymore
>> in Samba4.
>> How do I assign / determine the RID of a group in Samba4?

Okay, at least I found out how to determine the RID. It's the final set 
of numbers of the group's SID.

> Use RFC2307 attributes, create a group, give it a gidNumber and if you
> use something on the Unix clients that will pull these attributes
> (nslcd,sssd,winbind ad backend) getent group <groupname> will display
> the result.

This is all working. But since "Domain Users" translates to "domain 
users" on my NAS, it breaks idmap for NFS4 and I can't use it. Don't 
know if I can safely change sAMAccountName of these default groups to 
lower case. It would simplify a lot.

I have to stick with winbind on the NAS. On the NAS it maps all users 
and groups, but ignores RFC2307 settings. On another system using the 
_same_ config, it obeys RFC2307, but drops some groups. That's why I use 
nslcd on the Linux clients - winbind is just insane!

>> And if I set this to primaryGroupID, will it be used for file creation
>> via CIFS?
> Not entirely sure, but you do not need to change the primaryGroupID, you
> can get CIFS to use the Unix group you created, Kerberos again!!

Kerberos determines the default group in CIFS access? You make me curious.

I changed primaryGroupID, restarted Samba on my NAS et voilá, winbind 
mapped the primary gid to my group and CIFS creates them right.

That's a good result for tonight ...

More information about the samba mailing list