[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Tue Sep 15 11:38:11 UTC 2015

On 15/09/15 12:14, Jim Seymour wrote:
> On Tue, 15 Sep 2015 10:36:10 +0200
> mathias dufresne <infractory at gmail.com> wrote:
>> Hi Jim,
>> First I apologize: I did not re-read everything.
> No problem and thanks for taking the time to follow-up.
>> Do you use winbind in /etc/nsswitch.conf?
> [snip]
> Yes.
>> As far as I have understood winbind is not configurable for AD
>> attributes used to build users for Linux systems, so your users will
>> have a primary group set to primaryGroupID.
> That would appear to be so.  And, in fact: I actually tried to change
> my test user's primaryGroupID to another, and ldbedit responded with
> "Unwilling to perform."

There is a way around this, the group must exist and the user must be a 
member of it, if both of these are true, then changing primaryGroupID to 
the RID of the new group should be possible. I personally wouldn't 
bother though, just leave every bodies primary group as Domain Users.

>> This is not really an issue on DC: users are not supposed to
>> connected on DC, no files should be created - except from your admins
>> - and so no incoherencies (in files ownership) should happen.

You can create shares on the DC, it is just not recommended, but it is 
your DC and you can do what ever you want with it. The problems come 
with things like the users homedir and shell, you cannot set them 

> *sigh* This is typical of Microsoft Windows thinking: "A thing cannot do
> more than one thing or it'll fall over."  But this *isn't* an MS-Windows
> server and it *can* do more than one thing at a time.

You can do more than one thing with a DC, it will not fall over.

> If I can't work around this, somehow, it'll be a show-stopper and
> Samba4 AD will have to go.  A shame, that would be, as it was looking so
> positive before this.

You need to stop thinking in the 'I must do this the Unix way only', you 
need to accept that some of what microsoft came up with is okay 
(admittedly not a lot :-) )
Stop thinking in terms of 'owner:group' on a file or dir, and think 
'user,user,user,user,and so on' or 'group, group,group,and so on' and 
set the permissions with setfacl or from windows.

> [snip]
>> Now to answer to last mail from Rowland, primary group is important
>> in UNIX world as this group is mainly used give group ownership of
>> newly created files and folders.

You do not need a Unix primary group if you use windows ACLs


> [snip]
> Unless, of course, over-ridden by SGID, through one-or-another means.
> Regards,
> Jim

More information about the samba mailing list