[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Nov 12 13:42:01 UTC 2015
On 12/11/15 13:22, mathias dufresne wrote:
>
>
> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>:
>
> On 11/11/15 06:52, Michael Adam wrote:
>
> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>
> On 10/11/15 13:42, mathias dufresne wrote:
>
> Thank you for this quick answer Louis.
>
> On DC:
>
> On DC I had to add one line to have winbind retrieving
> uidNumber AD field
> rather than having Winbind chosing some random UID for
> my users.
> This line is:
>
> idmap_ldb:use rfc2307 = yes
>
> as explained in
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
> That's a start.
>
> Unfortunately winbind is still giving my users GID
> number set to 100, which
> is "Domain Users" group, when my users have gidNumber
> attribute set.
>
> unfortunately the contents of the 'gidNumber' attribute is
> not used for the
> users GID, you need to give 'Domain Users' a gidNumber and
> this is what will
> be used.
>
> That is not unfortunate, but the right thing to do (imho),
> because the domain users group (or whatever the primary AD
> level group is for the user) is what will appear in the access
> token when the user accesses a file server.
>
>
> Well, it is unfortunate if you expected it to be used, but yes it
> is the right thing to do.
>
>
> No more comment. For today :p
>
>
>
>
> We can think about making the use of the gidNumber attribute
> a configurable option (at least for the start in the domain
> member case with idmap_ad). But again, the right thing to do
> is use the SID-level primary group for primary gid of the unix
> user.
>
>
> You don't actually need the gidNumber, every users primary group
> is 'Domain Users', you can change this, but it is slightly
> complicated and it breaks things on windows.
>
>
> Seriously Rowland...
>
> First it is not complicated, changing one attribute value for one user
> or for all users in AD DB is not something complicated. A bit of LDIF,
> a bit of ldbmodify, nothing complex.
Go on, try it, change a users primary group id by just changing their
'primaryGroupID', you will find it Doesn't work, it is more involved
than that.
> But I agree changing pirmaryGroupID value would be dangerous.
> Dangerous because of my lack of knowledge about Windows world.
If you have windows users and change a users primary group id, it could
break something because windows expects every user to be a member of
Domain Users.
> To avoid side effect I would change that value and add a memberOf
> attribute to my users for they are still in "Domain Users". Doing that
> I could use Winbind to retrieve my AD users on UNIX systems, they
> would have something else than 100 as GID and they would be in "Domain
> Users". Until some users is not well created by some dude not paid
> enough to read carefully the doc or too tired to pay attention. Then
> to understand what is missing for this newly-created-user would be fun...
You could do this, but it could get terribly messy.
>
> I expect the fact in RFC2307 there is a dedicated attribute to host
> UNIX Primary Group ID (namely gidNumber) is to avoid all (and most
> certainly more) issues described earlier.
Yes, but you do not need the gidNumber.
Rowland
More information about the samba
mailing list