[Samba] WINBIND: UID and GID false mappings on domain member

Rowland Penny rpenny at samba.org
Fri Aug 12 18:22:29 UTC 2016 

On Fri, 12 Aug 2016 10:42:54 -0700 (PDT)
rawi via samba <samba at lists.samba.org> wrote:

> 
> > Just provisioning with --rfc2307 isn't enough, you personally need
> > to add any required RFC2307 attributes.
> 
> But you see my test user has his attributes. From samba-tool. Do you
> mean the basic objects, the templates for the user and group? If yes,
> how to do it?

OOPS, red face time, you are correct, they are there.

> 
> 
> > Can I suggest you put dnsupdate back and then setup bind9 on the DC 
> > correctly.
> 
> I will...
> 
> 
> > You must be using an old version of samba-tool, it doesn't do that
> > now.
> 
> Version 4.3.9 from the last fresh ubuntu LTS.
> And I asked on FreeNode, they would not upgrade to the 4.4. branch if
> 4.3 hasn't bugs...

Ubuntu will not want to materially change an LTS version and Samba
changes so fast, in fact version 4.5.0 is slated for release in min
September.
 
> 
> 
> > No they are not: 
> > 
> > dn: CN=test,CN=Users,DC=humgen,DC=0zone 
> > ...... 
> > primaryGroupID: 513 
> 
> Oh, I hoped winbind would give me:
> uidNumber: 9439 
> gidNumber: 5001
> ... from the posix attributes
> 

Well, it will use the uidNumber as the users Unix UID, but winbind will
use the gidNumber attribute from 'Domain Users' and if it isn't found,
all users will be ignored. The gidNumber attribute will be used as
another group for the user.

> 
> > This makes the users primary group 'Domain Users' and as such, the 
> > primary group must have a gidNumber, or all your users will be
> > ignored by winbind. Do not think of changing the users
> > primaryGroupID, windows expects all users to be members of 'Domain
> > Users' 
> 
> I'll remember this
> How would behave a group mapping of "domain users" on my group 5001
> (hg_allg) ?

You don't map groups anymore

> 
> 
> > No, just that you have set up Samba incorrectly, you are trying to
> > use AD like you used your old NT4-style domain. 
> > 
> > Can I suggest that you go and read the Samba wiki:
> 
> OK, I'll set dnsupdate back and all the rest new.
> I tryed to find my way around the problem with the data's posix
> rights.
> 
> Would be sssd a better fit for this?

No, because it works pretty much like winbind.

> 
> Can you think of a work around, to transfer the current data with the
> old unix UID/GID, so that the users will see it the same?
> How should I define the new created users for this?

Well, you could try creating the users as you have done, but without
the gidNumber. Now create (or extend) your group with a gidNumber, Now
add your users to the group, now provide you copy the data over and set
the permissions correctly, I think it should work.

Rowland

More information about the samba mailing list