[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
mathias dufresne
infractory at gmail.com
Thu Nov 12 13:54:15 UTC 2015
2015-11-12 14:42 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 12/11/15 13:22, mathias dufresne wrote:
>
>>
>>
>> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>>:
>>
>>
>> On 11/11/15 06:52, Michael Adam wrote:
>>
>> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>>
>> On 10/11/15 13:42, mathias dufresne wrote:
>>
>> Thank you for this quick answer Louis.
>>
>> On DC:
>>
>> On DC I had to add one line to have winbind retrieving
>> uidNumber AD field
>> rather than having Winbind chosing some random UID for
>> my users.
>> This line is:
>>
>> idmap_ldb:use rfc2307 = yes
>>
>> as explained in
>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>
>> That's a start.
>>
>> Unfortunately winbind is still giving my users GID
>> number set to 100, which
>> is "Domain Users" group, when my users have gidNumber
>> attribute set.
>>
>> unfortunately the contents of the 'gidNumber' attribute is
>> not used for the
>> users GID, you need to give 'Domain Users' a gidNumber and
>> this is what will
>> be used.
>>
>> That is not unfortunate, but the right thing to do (imho),
>> because the domain users group (or whatever the primary AD
>> level group is for the user) is what will appear in the access
>> token when the user accesses a file server.
>>
>>
>> Well, it is unfortunate if you expected it to be used, but yes it
>> is the right thing to do.
>>
>>
>> No more comment. For today :p
>>
>>
>>
>>
>> We can think about making the use of the gidNumber attribute
>> a configurable option (at least for the start in the domain
>> member case with idmap_ad). But again, the right thing to do
>> is use the SID-level primary group for primary gid of the unix
>> user.
>>
>>
>> You don't actually need the gidNumber, every users primary group
>> is 'Domain Users', you can change this, but it is slightly
>> complicated and it breaks things on windows.
>>
>>
>> Seriously Rowland...
>>
>> First it is not complicated, changing one attribute value for one user or
>> for all users in AD DB is not something complicated. A bit of LDIF, a bit
>> of ldbmodify, nothing complex.
>>
>
> Go on, try it, change a users primary group id by just changing their
> 'primaryGroupID', you will find it Doesn't work, it is more involved than
> that.
I won't, there are tools to do what I want in nices ways (nslcd, sssd at
least).
Winbind is really close to give us that possibility too and I'm almost sure
this tool will also be improved one day to give us usage of all rfc2307
attributes.
>
> But I agree changing pirmaryGroupID value would be dangerous. Dangerous
>> because of my lack of knowledge about Windows world.
>>
>
> If you have windows users and change a users primary group id, it could
> break something because windows expects every user to be a member of Domain
> Users.
>
> To avoid side effect I would change that value and add a memberOf
>> attribute to my users for they are still in "Domain Users". Doing that I
>> could use Winbind to retrieve my AD users on UNIX systems, they would have
>> something else than 100 as GID and they would be in "Domain Users". Until
>> some users is not well created by some dude not paid enough to read
>> carefully the doc or too tired to pay attention. Then to understand what is
>> missing for this newly-created-user would be fun...
>>
>
> You could do this, but it could get terribly messy.
In fact I won't.
>
>
>
>> I expect the fact in RFC2307 there is a dedicated attribute to host UNIX
>> Primary Group ID (namely gidNumber) is to avoid all (and most certainly
>> more) issues described earlier.
>>
>
> Yes, but you do not need the gidNumber.
In fact, I do.
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list