[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

mathias dufresne infractory at gmail.com
Tue Sep 15 08:36:10 UTC 2015

Hi Jim,

First I apologize: I did not re-read everything.

Do you use winbind in /etc/nsswitch.conf? I expect a yes as an answer as it
builds user attributes using primaryGoupID and also forge its own home

As far as I have understood winbind is not configurable for AD attributes
used to build users for Linux systems, so your users will have a primary
group set to primaryGroupID.

This is not really an issue on DC: users are not supposed to connected on
DC, no files should be created - except from your admins - and so no
incoherencies (in files ownership) should happen.

For no-DC it matters as users can connect on them to work, create files and
so on.

If you don't speak about DC you could replace winbind by ssd in
nsswitch.conf as SSSD is configurable. Your users would be able to use
uidNumber and gidNumber and their home directory will be filled with
unixHomeDirectory if you want to.

Lot of other attributes can be configured, you should check "man sssd-ldap"
then search for "ldap_" to get configurable attributes. These ldap_*
options are valid also if you are using SSSD with "id_provider = ad".

Now to answer to last mail from Rowland, primary group is important in UNIX
world as this group is mainly used give group ownership of newly created
files and folders. For security reasons or to keep files accessible to
others users on shared folders, what GID is used as primary group is
sometimes crucial.
For accessing files all groups are checked, so memberOf multi-valued
attribute is sufficient here, for write accesses, Unix systems do not take
care of others groups than the primary one.



2015-09-14 19:45 GMT+02:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 14/09/15 18:14, Jim Seymour wrote:
>> On Mon, 14 Sep 2015 13:36:31 -0300
>> Guilherme Boing <kolt+samba at frag.com.br> wrote:
>> Are you using nslcd by any chance ?
>> [snip]
>> Nope.
>> On Mon, 14 Sep 2015 18:56:20 +0200
>> buhorojo <buhorojo.lcb at gmail.com> wrote:
>> [snip]
>>> getent returns primaryGroupID, not gidNumber
>> I can see that.
>> So what is the point of gidNumber in a user's record if it does
>> essentially nothing other than to take up space, possibly duplicate
>> another entry (primaryGroupID) or possibly be misleading?
>> Regards,
>> Jim
> OK, now you have got this far, I will drop the bomb on you, you *don't*
> actually need the 'gidNumber' attribute for a user, you need it for groups,
> but not users!
> Group membership in AD is done by member/memberof attributes, you add a
> 'member' attribute containing the 'dn' of the user to the group object and
> AD does the rest, if you go and examine the users object, you will now find
> that a 'memberof' attribute containing the groups dn has been added. The
> only exception to this rule is Domain Users, membership is governed by the
> primaryGroupID attribute.
> You allow access, read & write etc to files & directories with ACLs, if
> the user trying to do something to a file or directory doesn't have an ACL
> set, they will not be allowed to do whatever it was they tried.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list