[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Rowland Penny rowlandpenny241155 at gmail.com
Thu Nov 12 14:07:28 UTC 2015


On 12/11/15 13:54, mathias dufresne wrote:
> 2015-11-12 14:42 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 12/11/15 13:22, mathias dufresne wrote:
>>
>>>
>>> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com
>>> <mailto:rowlandpenny241155 at gmail.com>>:
>>>
>>>
>>>      On 11/11/15 06:52, Michael Adam wrote:
>>>
>>>          On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>>>
>>>              On 10/11/15 13:42, mathias dufresne wrote:
>>>
>>>                  Thank you for this quick answer Louis.
>>>
>>>                  On DC:
>>>
>>>                  On DC I had to add one line to have winbind retrieving
>>>                  uidNumber AD field
>>>                  rather than having Winbind chosing some random UID for
>>>                  my users.
>>>                  This line is:
>>>
>>>                  idmap_ldb:use rfc2307 = yes
>>>
>>>                  as explained in
>>>                  https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>
>>>                  That's a start.
>>>
>>>                  Unfortunately winbind is still giving my users GID
>>>                  number set to 100, which
>>>                  is "Domain Users" group, when my users have gidNumber
>>>                  attribute set.
>>>
>>>              unfortunately the contents of the 'gidNumber' attribute is
>>>              not used for the
>>>              users GID, you need to give 'Domain Users' a gidNumber and
>>>              this is what will
>>>              be used.
>>>
>>>          That is not unfortunate, but the right thing to do (imho),
>>>          because the domain users group (or whatever the primary AD
>>>          level group is for the user) is what will appear in the access
>>>          token when the user accesses a file server.
>>>
>>>
>>>      Well, it is unfortunate if you expected it to be used, but yes it
>>>      is the right thing to do.
>>>
>>>
>>> No more comment. For today :p
>>>
>>>
>>>
>>>
>>>          We can think about making the use of the gidNumber attribute
>>>          a configurable option (at least for the start in the domain
>>>          member case with idmap_ad). But again, the right thing to do
>>>          is use the SID-level primary group for primary gid of the unix
>>>          user.
>>>
>>>
>>>      You don't actually need the gidNumber, every users primary group
>>>      is 'Domain Users', you can change this, but it is slightly
>>>      complicated and it breaks things on windows.
>>>
>>>
>>> Seriously Rowland...
>>>
>>> First it is not complicated, changing one attribute value for one user or
>>> for all users in AD DB is not something complicated. A bit of LDIF, a bit
>>> of ldbmodify, nothing complex.
>>>
>> Go on, try it, change a users primary group id by just changing their
>> 'primaryGroupID', you will find it Doesn't work, it is more involved than
>> that.
>
> I won't, there are tools to do what I want in nices ways (nslcd, sssd at
> least).
> Winbind is really close to give us that possibility too and I'm almost sure
> this tool will also be improved one day to give us usage of all rfc2307
> attributes.
>
>
>> But I agree changing pirmaryGroupID value would be dangerous. Dangerous
>>> because of my lack of knowledge about Windows world.
>>>
>> If you have windows users and change a users primary group id, it could
>> break something because windows expects every user to be a member of Domain
>> Users.
>>
>> To avoid side effect I would change that value and add a memberOf
>>> attribute to my users for they are still in "Domain Users". Doing that I
>>> could use Winbind to retrieve my AD users on UNIX systems, they would have
>>> something else than 100 as GID and they would be in "Domain Users". Until
>>> some users is not well created by some dude not paid enough to read
>>> carefully the doc or too tired to pay attention. Then to understand what is
>>> missing for this newly-created-user would be fun...
>>>
>> You could do this, but it could get terribly messy.
>
> In fact I won't.
>
>
>>
>>
>>> I expect the fact in RFC2307 there is a dedicated attribute to host UNIX
>>> Primary Group ID (namely gidNumber) is to avoid all (and most certainly
>>> more) issues described earlier.
>>>
>> Yes, but you do not need the gidNumber.
>
> In fact, I do.
>
>

No you don't, you just think you do, probably because you are thinking 
like a Unix sysadmin, AD is a windows thing, so you need to think like a 
windows sysadmin when it comes to permissions.

Rowland



More information about the samba mailing list