[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 12 18:57:10 UTC 2015 

On 12/09/15 19:12, Jim Seymour wrote:
> On Sat, 12 Sep 2015 17:59:54 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
>> On 12/09/15 14:36, Jim Seymour wrote:
>>> On Sat, 12 Sep 2015 08:32:17 +0100
>>> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>>>
>>> [snip]
>>>> Samba4 comes with the uidNumber & gidNumber attributes (and a
>>>> load of others), but they are *not* used as standard, the
>>>> sysadmin needs to add them.
>>> Starting at the page you reference, below, I put "uidNumber" into
>>> the search box.  Now, unless I'm missing it, all that comes up are
>>> references to it, but no information on how it's used or where to
>>> set it.
>> OK, you seem to have found a gap on the wiki, it does seem to
>> expect that all the administration is done via ADUC :-)
> *A* gap?!?!
>
> I've been finding little more than a constant parade of "gaps."  And
> it isn't just gaps.  I've had that documentation leave me
> anywhere from wondering "WTH are they talking about?" to
> taking me entirely down the wrong path.
>
> You might better just take it offline and direct n00bs here.  It's
> that bad, IMO.  I don't think I've found a *single* thing there, yet,
> that was accurate or complete.

I will have an email conversation with Marc and see what can be done 
about the docs, from my point of view, they seem to be very windows 
centric when it comes to administration.

>
>> If you create a new user with samba-tool (and your version is new
>> enough), you can create a user and add the required attributes at
>> the same time.
> Can you define "new enough?"

Approx from version 4.1.17

>
>> If you want to add the unix attributes to an all
>> ready created AD object, you are going to have to resort to an ldif
>> and ldbmodify, ldapmodify or similar ...
> [snip]
>
> Got it!  Thanks!
>
> [snip]
>>> Can I, should I, may I put gidNumber attributes into individual
>>> user AD records?  (Matching their [default] *nix gids?)
>> Ah, somebody else who thinks Samba4 AD works like samba3, you don't
>> have individual Unix groups any more, in fact you do not have Unix
>> users any more, they are all AD users that are also Unix users.
> [snip]
>
> So all these reams of files and directories on the existing
> fileserver, many of which are shared between both MS-Win and *nix
> users, what am I supposed to do with them?
>
> I have, for example, project team and departmental directories (w/in
> shares), or entire shares, where, for example, the thing has write
> permissions only for the group and a special group has been created
> and given read-only permissions with an ACL.

This shouldn't be a problem, you just need to create the groups in AD 
and then add the required Unix attributes, you just cannot have a user 
called 'fred' and a group called 'fred', this is not something that 
samba came up with, it is a windows restriction.


>
>>> Regarding UIDs and GIDs: I've been administering *nix systems
>>> since SysVR3, incl. variants such as Xenix and QNX.  I know how
>>> *nix works, and UIDs and GIDs.  What I *do not* understand is how
>>> to make Samba4 play nicely on a *nix server in a heterogeneous
>>> computing environment.
>> I hope what I have posted helps,
> It does.  Thank you *very* much!
>
>> you just have to get your head
>> around the differences (no user private groups for instance, you
>> cannot have two objects in AD with the same name)
>> If you have any questions, please ask, the only stupid question is
>> the one you don't ask :-D
> I'm not certain we're talking about the same thing.
>
> We have users.  We have groups.  Various users have various groups
> either as their primary GID (e.g.: Everybody who works in the Quality
> Dept. is in group "quality"), or one of (possibly many) secondary
> GIDs (e.g.: others have group "quality" as one of their [possibly
> many] secondary groups.)  "Group" directories/shares will have the
> sgid bit set and "force" settings in smb.conf.  That way if, for
> example, somebody's primary group is "test", but they have membership
> in the "quality" group, when they write to the latter group's space,
> files and directories will have the proper group ownership.
>
> It sounds to me like you're telling me all that's out the window?
> (No pun intended.)  It *sounds* to me like you're telling me users
> can't be members of multiple groups?  I don't see how that can
> possibly be true.

Users can be in multiple groups, you just do it another way (well this 
is windows based )

You want to add the user 'fred' to the group 'quality' (which has been 
created and given a gidNumber):

You create an ldif: /tmp/groupmod.ldif

dn: CN=quality,CN=Users,DC=example,DC=com
changetype: modify
add: member
member: dn: CN=Fred User,CN=Users,DC=example,DC=com
-

ldbmodify -H /var/lib/samba/private/sam.ldb /tmp/groupmod.ldif

and AD does the rest

If you were to now check the users object in AD, you would now find it 
contains something like this:

memberOf: CN=quality,CN=Users,DC=home,DC=lan

If you want the group to be the users main Unix group, you would use the 
gidNumber for 'quality' as the users gidNumber

You would then set the required permissions on the share for the user, 
either from windows or with 'setfacl' on the share itself, you do not 
need to change the Unix permissions. As you are probably aware, on Unix 
you can only set the permissions for the user, group or other, but with 
NTFS ACLs you can set them for user1, user2, group1, group2 etc etc, all 
at the same time. I think you need to do some reading up on this, if you 
do an internet search, just use active directory instead of samba4 in 
the search terms. It might also help to search for 'setfacl' & 'getfacl'

Rowland

>
> Regards,
> Jim

More information about the samba mailing list