[Samba] Samba 4.1. creates group rights for not existing group.

Rowland Penny rowlandpenny241155 at gmail.com
Mon Nov 16 13:40:02 UTC 2015

On 16/11/15 13:28, Michael Adam wrote:
> On 2015-11-16 at 12:57 +0000, Rowland Penny wrote:
>> On 16/11/15 12:53, Michael Adam wrote:
>>> On 2015-11-16 at 11:14 +0000, Rowland Penny wrote:
>>>> On 16/11/15 10:11, Alex Sviridov wrote:
>>>>>   I use samba 4.1 as dc with acl. I have user with uid 3000023. However, I don't have group with guid 3000023. However, when this user creates a folder samba in acl list creates permissions for group 3000023 and as result I have broken link. How to fix it?
>>>> Hi, allow me to introduce you to the concept of a user being also a group
>>>> and vica-versa. If you examine idmap.ldb:
>>>> ldbedit -e nano -H /usr/local/samba/private/idmap.ldb
>>>> You will find lines like this:
>>>> type: ID_TYPE_BOTH
>>>> This means that your user can be both a user and a group
>>>> It has to be like this so that the 'Administrators' group can own
>>>> directories and files in sysvol.
>>> Very true.
>>> This can't be over-emphasized, since it seems
>>> to puzzle people: This is by design.
>>> And regarding non-existence of that group:
>>> If you do the supported thing, namely put
>>> winbind into /etc/nsswitch.conf, then this
>>> group exists. :-)
>>> Cheers - Michael
>> er, when did it become supported to put winbind into
>> /etc/nsswitch.conf on a DC?
> To my understanding, it was supported from the beginning
> (i.e. Samba 4.0.0).

OK, change 'supported' to 'recommended'

>> You only need to do this if you actually need to log into the DC and this is
>> not recommended on the wiki.
> Well it is also cosmetic for when e.g. an admin
> wants to look at files/perms on the console.

You cannot do it for just one user, if all users have uidNumbers.

> And btw, 'not recommended' does not mean 'not supported'.

Thinking about it, doesn't saying that something is supported also mean 
you can do this?

> Of course, not putting anything winbind-ish into nsswitch,
> might also be considered supported, but I'd say that
> for a complete setup, winbind belongs into nsswitch.conf.

Totally agree, but only when winbindd works fully.

> If you don't put anything, then also the corresponding
> uid won't be resolved in 'ls -l' and friends, so one
> could complain that that user does not exist just as well.
> (With existence defined as 'getent passwd foo' or
> 'getent group bar' knows them...)
> So my point was that putting stuff into /etc/nsswitch.conf
> makes users and groups exist. And if you put the *right*
> thing into nsswitch (i.e. winbind and not, e.g. sssd), then
> these groups do exist.

Well, half correct and you know what half isn't correct on an AD DC :-)

I would also like to point out that most of what sssd and nlscd can do, 
winbind can do, the only difference is when it comes to the DC.


> Michael

More information about the samba mailing list