[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Rowland Penny rowlandpenny241155 at gmail.com
Thu Nov 12 13:42:01 UTC 2015

On 12/11/15 13:22, mathias dufresne wrote:
> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com 
> <mailto:rowlandpenny241155 at gmail.com>>:
>     On 11/11/15 06:52, Michael Adam wrote:
>         On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>             On 10/11/15 13:42, mathias dufresne wrote:
>                 Thank you for this quick answer Louis.
>                 On DC:
>                 On DC I had to add one line to have winbind retrieving
>                 uidNumber AD field
>                 rather than having Winbind chosing some random UID for
>                 my users.
>                 This line is:
>                 idmap_ldb:use rfc2307 = yes
>                 as explained in
>                 https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>                 That's a start.
>                 Unfortunately winbind is still giving my users GID
>                 number set to 100, which
>                 is "Domain Users" group, when my users have gidNumber
>                 attribute set.
>             unfortunately the contents of the 'gidNumber' attribute is
>             not used for the
>             users GID, you need to give 'Domain Users' a gidNumber and
>             this is what will
>             be used.
>         That is not unfortunate, but the right thing to do (imho),
>         because the domain users group (or whatever the primary AD
>         level group is for the user) is what will appear in the access
>         token when the user accesses a file server.
>     Well, it is unfortunate if you expected it to be used, but yes it
>     is the right thing to do.
> No more comment. For today :p
>         We can think about making the use of the gidNumber attribute
>         a configurable option (at least for the start in the domain
>         member case with idmap_ad). But again, the right thing to do
>         is use the SID-level primary group for primary gid of the unix
>         user.
>     You don't actually need the gidNumber, every users primary group
>     is 'Domain Users', you can change this, but it is slightly
>     complicated and it breaks things on windows.
> Seriously Rowland...
> First it is not complicated, changing one attribute value for one user 
> or for all users in AD DB is not something complicated. A bit of LDIF, 
> a bit of ldbmodify, nothing complex.

Go on, try it, change a users primary group id by just changing their 
'primaryGroupID', you will find it Doesn't work, it is more involved 
than that.

> But I agree changing pirmaryGroupID value would be dangerous. 
> Dangerous because of my lack of knowledge about Windows world.

If you have windows users and change a users primary group id, it could 
break something because windows expects every user to be a member of 
Domain Users.

> To avoid side effect I would change that value and add a memberOf 
> attribute to my users for they are still in "Domain Users". Doing that 
> I could use Winbind to retrieve my AD users on UNIX systems, they 
> would have something else than 100 as GID and they would be in "Domain 
> Users". Until some users is not well created by some dude not paid 
> enough to read carefully the doc or too tired to pay attention. Then 
> to understand what is missing for this newly-created-user would be fun...

You could do this, but it could get terribly messy.

> I expect the fact in RFC2307 there is a dedicated attribute to host 
> UNIX Primary Group ID (namely gidNumber) is to avoid all (and most 
> certainly more) issues described earlier.

Yes, but you do not need the gidNumber.


More information about the samba mailing list