[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sat Sep 12 20:47:28 UTC 2015 

On 12/09/15 21:26, Jim Seymour wrote:
> On Sat, 12 Sep 2015 19:57:10 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
>> On 12/09/15 19:12, Jim Seymour wrote:
>>> On Sat, 12 Sep 2015 17:59:54 +0100
>>> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> [snip]
>>>> If you create a new user with samba-tool (and your version is new
>>>> enough), you can create a user and add the required attributes at
>>>> the same time.
>>> Can you define "new enough?"
>> Approx from version 4.1.17
> $ samba --version
> Version 4.1.6-Ubuntu
>
> No problem, tho.
>
> [snip]
>>> It *sounds* to me like you're telling me users
>>> can't be members of multiple groups?  I don't see how that can
>>> possibly be true.
>> Users can be in multiple groups, you just do it another way (well
>> this is windows based )
>>
>> You want to add the user 'fred' to the group 'quality' (which has
>> been created and given a gidNumber):
> Ah, well... Now there's the question of what attributes are required
> to create a group.  I suppose I can just dump the existing ldap db
> and see what groups are already there.

ldif to create group:

dn: CN=<groupname>,CN=Users,DC=example,DC=com
objectClass: group
cn: <groupname>
name: <groupname>
sAMAccountName: <groupname>
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=example,DC=com
distinguishedName: CN=<groupname>,CN=Users,DC=example,DC=com

>
> [snip]
>> If you want the group to be the users main Unix group, you would
>> use the gidNumber for 'quality' as the users gidNumber
> You mean by setting their gidNumber attribute to that group, rather
> than whatever GID was given to "Domain Users"?, in their sam.ldb
> record?
>
> But I thought you earlier said that would Break Things?

No' what I said was (in a way you didn't understand) don't change the 
'primaryGroupID' attribute, this is what makes the user a member of 
Domain Users
The users 'primaryGroupID' != the Unix users primary group id (this is 
what is stored in the 'gidNumber' attribute)

>
>> You would then set the required permissions on the share for the
>> user, either from windows or with 'setfacl' on the share itself,
>> you do not need to change the Unix permissions.
> Okay.
>
>> As you are probably
>> aware, on Unix you can only set the permissions for the user, group
>> or other, but with NTFS ACLs you can set them for user1, user2,
>> group1, group2 etc etc, all at the same time.
> You can do the same under Unix/Linux with setfacl.  I've been doing
> that for years.

Good, then you know how to use it :-)

>
>> I think you need to
>> do some reading up on this, if you do an internet search, just use
>> active directory instead of samba4 in the search terms. It might
>> also help to search for 'setfacl' & 'getfacl'
> Yeah, I know about ACLs (and, under Unix/Linux: Directory ACL masks
> and default ACLs and the like).

There has been religious wars on here about calling 'Unix permissions' 
ACLs :-D

Rowland

> Thanks,
> Jim

More information about the samba mailing list