[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Wed Nov 11 08:11:39 UTC 2015

On 11/11/15 06:52, Michael Adam wrote:
> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>> On 10/11/15 13:42, mathias dufresne wrote:
>>> Thank you for this quick answer Louis.
>>>
>>> On DC:
>>>
>>> On DC I had to add one line to have winbind retrieving uidNumber AD field
>>> rather than having Winbind chosing some random UID for my users.
>>> This line is:
>>>
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> as explained in https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>
>>> That's a start.
>>>
>>> Unfortunately winbind is still giving my users GID number set to 100, which
>>> is "Domain Users" group, when my users have gidNumber attribute set.
>> unfortunately the contents of the 'gidNumber' attribute is not used for the
>> users GID, you need to give 'Domain Users' a gidNumber and this is what will
>> be used.
> That is not unfortunate, but the right thing to do (imho),
> because the domain users group (or whatever the primary AD
> level group is for the user) is what will appear in the access
> token when the user accesses a file server.

Well, it is unfortunate if you expected it to be used, but yes it is the 
right thing to do.

>
> We can think about making the use of the gidNumber attribute
> a configurable option (at least for the start in the domain
> member case with idmap_ad). But again, the right thing to do
> is use the SID-level primary group for primary gid of the unix
> user.

You don't actually need the gidNumber, every users primary group is 
'Domain Users', you can change this, but it is slightly complicated and 
it breaks things on windows.

>
>
>>> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX
>>> users and winbind gives /bin/false on DC. Perhaps that's what it expected
>>> by that tool but I still found that behaviour very confusing.
>>> Please note I know there is a "template shell" option in smb.conf.
>>> Unfortunately this option is, I think, to set all shell equal to that
>>> template, for all users. That's not what we need. If some user in AD wants
>>> to use CSH, this user must have a shell set to /bin/csh (or wherever it is
>>> installed), if some user has to be set to /bin/false, it must be. And for
>>> most of our users they would receive /bin/bash because it is what we
>>> configure in loginShell by default.
>> You can only use the 'template' lines on the DC, if you need to have
>> different home dirs or shells, use a member server.
> As discussed elsewhere, we should add the feature to use the AD
> attributes (configurably).  Someone has to find the time to
> implement the changes.

I think this really needs to be given a bit more priority than it has in 
the past, get this working and you get a good replacement for the now 
defunct SBS server.

Rowland