[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
Rowland Penny
rowlandpenny241155 at gmail.com
Thu Nov 12 14:07:28 UTC 2015
On 12/11/15 13:54, mathias dufresne wrote:
> 2015-11-12 14:42 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 12/11/15 13:22, mathias dufresne wrote:
>>
>>>
>>> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com
>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>
>>>
>>> On 11/11/15 06:52, Michael Adam wrote:
>>>
>>> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>>>
>>> On 10/11/15 13:42, mathias dufresne wrote:
>>>
>>> Thank you for this quick answer Louis.
>>>
>>> On DC:
>>>
>>> On DC I had to add one line to have winbind retrieving
>>> uidNumber AD field
>>> rather than having Winbind chosing some random UID for
>>> my users.
>>> This line is:
>>>
>>> idmap_ldb:use rfc2307 = yes
>>>
>>> as explained in
>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>
>>> That's a start.
>>>
>>> Unfortunately winbind is still giving my users GID
>>> number set to 100, which
>>> is "Domain Users" group, when my users have gidNumber
>>> attribute set.
>>>
>>> unfortunately the contents of the 'gidNumber' attribute is
>>> not used for the
>>> users GID, you need to give 'Domain Users' a gidNumber and
>>> this is what will
>>> be used.
>>>
>>> That is not unfortunate, but the right thing to do (imho),
>>> because the domain users group (or whatever the primary AD
>>> level group is for the user) is what will appear in the access
>>> token when the user accesses a file server.
>>>
>>>
>>> Well, it is unfortunate if you expected it to be used, but yes it
>>> is the right thing to do.
>>>
>>>
>>> No more comment. For today :p
>>>
>>>
>>>
>>>
>>> We can think about making the use of the gidNumber attribute
>>> a configurable option (at least for the start in the domain
>>> member case with idmap_ad). But again, the right thing to do
>>> is use the SID-level primary group for primary gid of the unix
>>> user.
>>>
>>>
>>> You don't actually need the gidNumber, every users primary group
>>> is 'Domain Users', you can change this, but it is slightly
>>> complicated and it breaks things on windows.
>>>
>>>
>>> Seriously Rowland...
>>>
>>> First it is not complicated, changing one attribute value for one user or
>>> for all users in AD DB is not something complicated. A bit of LDIF, a bit
>>> of ldbmodify, nothing complex.
>>>
>> Go on, try it, change a users primary group id by just changing their
>> 'primaryGroupID', you will find it Doesn't work, it is more involved than
>> that.
>
> I won't, there are tools to do what I want in nices ways (nslcd, sssd at
> least).
> Winbind is really close to give us that possibility too and I'm almost sure
> this tool will also be improved one day to give us usage of all rfc2307
> attributes.
>
>
>> But I agree changing pirmaryGroupID value would be dangerous. Dangerous
>>> because of my lack of knowledge about Windows world.
>>>
>> If you have windows users and change a users primary group id, it could
>> break something because windows expects every user to be a member of Domain
>> Users.
>>
>> To avoid side effect I would change that value and add a memberOf
>>> attribute to my users for they are still in "Domain Users". Doing that I
>>> could use Winbind to retrieve my AD users on UNIX systems, they would have
>>> something else than 100 as GID and they would be in "Domain Users". Until
>>> some users is not well created by some dude not paid enough to read
>>> carefully the doc or too tired to pay attention. Then to understand what is
>>> missing for this newly-created-user would be fun...
>>>
>> You could do this, but it could get terribly messy.
>
> In fact I won't.
>
>
>>
>>
>>> I expect the fact in RFC2307 there is a dedicated attribute to host UNIX
>>> Primary Group ID (namely gidNumber) is to avoid all (and most certainly
>>> more) issues described earlier.
>>>
>> Yes, but you do not need the gidNumber.
>
> In fact, I do.
>
>
No you don't, you just think you do, probably because you are thinking
like a Unix sysadmin, AD is a windows thing, so you need to think like a
windows sysadmin when it comes to permissions.
Rowland
More information about the samba
mailing list