[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Jim Seymour jseymour at LinxNet.com
Sat Sep 12 20:26:45 UTC 2015

On Sat, 12 Sep 2015 19:57:10 +0100
Rowland Penny <rowlandpenny241155 at gmail.com> wrote:

> On 12/09/15 19:12, Jim Seymour wrote:
> > On Sat, 12 Sep 2015 17:59:54 +0100
> > Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> >
> >> If you create a new user with samba-tool (and your version is new
> >> enough), you can create a user and add the required attributes at
> >> the same time.
> > Can you define "new enough?"
> Approx from version 4.1.17

$ samba --version
Version 4.1.6-Ubuntu

No problem, tho.

> > It *sounds* to me like you're telling me users
> > can't be members of multiple groups?  I don't see how that can
> > possibly be true.
> Users can be in multiple groups, you just do it another way (well
> this is windows based )
> You want to add the user 'fred' to the group 'quality' (which has
> been created and given a gidNumber):

Ah, well... Now there's the question of what attributes are required
to create a group.  I suppose I can just dump the existing ldap db
and see what groups are already there.

> If you want the group to be the users main Unix group, you would
> use the gidNumber for 'quality' as the users gidNumber

You mean by setting their gidNumber attribute to that group, rather
than whatever GID was given to "Domain Users"?, in their sam.ldb

But I thought you earlier said that would Break Things?

> You would then set the required permissions on the share for the
> user, either from windows or with 'setfacl' on the share itself,
> you do not need to change the Unix permissions.


> As you are probably
> aware, on Unix you can only set the permissions for the user, group
> or other, but with NTFS ACLs you can set them for user1, user2,
> group1, group2 etc etc, all at the same time.

You can do the same under Unix/Linux with setfacl.  I've been doing
that for years.

> I think you need to
> do some reading up on this, if you do an internet search, just use
> active directory instead of samba4 in the search terms. It might
> also help to search for 'setfacl' & 'getfacl'

Yeah, I know about ACLs (and, under Unix/Linux: Directory ACL masks
and default ACLs and the like).

Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the samba mailing list