[Samba] (Samba 4.2.2) wbinfo -i does not get the (correct) unix primary group gid
Rowland Penny
rowlandpenny at googlemail.com
Fri Jun 19 06:42:47 MDT 2015
On 19/06/15 13:12, Frank Grantz wrote:
> Hi Rowland,
>
>> Gesendet: Freitag, 19. Juni 2015 um 13:52 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] (Samba 4.2.2) wbinfo -i does not get the (correct) unix primary group gid
>>
>> On 19/06/15 12:26, Frank Grantz wrote:
>>> Hi Rowland,
>>>
>>>> Gesendet: Freitag, 19. Juni 2015 um 12:22 Uhr
>>>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>>>> An: samba at lists.samba.org
>>>> Betreff: Re: [Samba] (Samba 4.2.2) wbinfo -i does not get the (correct) unix primary group gid
>>>>
>>>>>
>>>> OK, I now have a VM running Centos 7 with Sernet-Samba 4.2.2, this is
>>>> setup just like I would setup a Debian client and it works, 'wbinfo -i
>>>> rowland' returns nearly the same result as on a Debian client i.e.
>>>> Centos returns the Display Name as well.
>>>>
>>>> Centos:
>>>> wbinfo -i rowland
>>>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>>>
>>>> Debian:
>>>> wbinfo -i rowland
>>>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>>>
>>>> 'id rowland' doesn't work on Centos, but I am sure that is only because
>>>> I haven't yet setup PAM.
>>>>
>>>> So, we need to know just how you installed samba, what packages have you
>>>> installed ?
>>>>
>>> Sernet-Samba 4.2.2 on CentOS7 here, too. The other machine is Sernet-Samba 3.3.15 on CentOS 5.10.
>>>
>>> In your AD setup: what is gidNumber and primaryGroupID for user rowland?
>>>
>>> regards
>>>
>>> Frank
>>>
>> OK, this my object in AD with the relevant attributes:
>>
>> dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
>> primaryGroupID: 513
>> uid: rowland
>> msSFU30Name: rowland
>> msSFU30NisDomain: example
>> uidNumber: 10000
>> gidNumber: 10000
>> loginShell: /bin/bash
>> unixUserPassword: ABCD!efgh12345$67890
>> unixHomeDirectory: /home/rowland
>>
>> And this is the 'Domain Users' object:
>>
>> dn: CN=Domain Users,CN=Users,DC=example,DC=com
>> msSFU30NisDomain: example
>> msSFU30Name: Domain Users
>> gidNumber: 10000
>>
>> With AD, all users are automatically members of 'Domain Users' even
>> though they do not show as members in the 'Domain Users' object. If you
>> change a users 'primaryGroupID' from 513 to the RID of another group,
>> you must add the user to the 'Domain Users' group as a member, it breaks
>> things if you don't :-)
>>
>> What you need to get your head around is:
>> RID = windows user or group
>> uidNumber = Unix user
>> gidNumber = Unix group
>> gidNumber in users object = users Unix primary group, not to be confused
>> with the 'primaryGroupID' attribute
>>
>> Rowland
>>
> In your setup CN=Rowland Penny has gidNumber: 10000 - which is coincidentally the same gidNumber that CN=Domain Users has.
It was no coincidence.
>
> If you change one of these numbers you will get different results with different versions of wbinfo. The question to me is: Do i have to change groups in my AD or will wbinfo/winbind change in a way that i will behave like the old version in this point again.
You shouldn't get different results, if you are, then either something
is miss-set or there is a bug somewhere, a bug in anything before 4.x is
very unlikely to be fixed.
If I remove the gidNumber in my object in AD, or change it, id & getent
will still show the gidNumber for my primaryGroupID group, which in this
case, is the well known RID 513, aka Domain Users, this number is
'10000'. This is because winbind uses the primaryGroupID to get the
gidNumber.
What could be interfering here is sssd on the centos client, I had to run:
authconfig --enablewinbind --enablewins --enablewinbindauth
--smbsecurity ads --smbworkgroup=EXAMPLE --smbrealm EXAMPLE.COM
--smbservers=dc01.example.com --krb5realm=EXAMPLE.COM
--enablewinbindoffline --enablewinbindkrb5
--winbindtemplateshell=/bin/sh --update --enablelocauthorize
--savebackup=/backups
Not sure if all of it is required, but that is what I ran (note it so
much easier on Debian, just install a package) , I then changed
/etc/nsswitch.conf to use winbind instead on sss for the group and
passwd lines.
I had to do this before 'id' or 'getent' would work.
Rowland
>
> regards
>
> Frank
>
>
>
More information about the samba
mailing list