[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

[Rowland penny]

On 05/07/16 17:56, Raphaël RIGNIER wrote:
> The strange behavior is the different output between group object and 
> user object
>
> and
> net ads search -U administrator
> net ads search -P
>
> in Samba Wiki, primarygroupid refers to the one for User's "Unix 
> Attributes" tab. Which is in fact GidNumber. (I have made tests to 
> check this)
> The primaryGroupID attribute refers to Posix primary Group in user's 
> "member of" tab. Which is a conversion from SID. Both are different 
> numbers but points to same group.
> I find this quite confusing

Sorry, but that doesn't answer the question, have you changed the users 
'PrimaryGroupID' attribute

If I do this:

rowland at devstation:$ ldbsearch -H ldap://dc1 -b 
'cn=Users,dc=samdom,dc=example,dc=com' -s sub 
'(&(objectclass=user)(samaccountname=rowland))' primaryGroupID -U 
Administrator
Password for [SAMDOM\Administrator]:
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
primaryGroupID: 513

# returned 1 records
# 1 entries
# 0 referrals

Which, as you can see, shows that my 'primaryGroupID' is set to '513', 
this is what it should be, this is the RID for 'Domain Users'

So if you run the command (making obvious changes for your setup), what 
do you get ?

To get winbind to return users when using the 'ad' backend, each user 
needs to have a 'uidNumber' containing a unique number inside the range 
set in smb.conf. You also need to give 'Domain Users' a 'gidNumber' 
attribute containing a number inside the range set in smb.conf, this 
number can be the same as a user, but must be unique amongst groups.

 From this, I hope you can see that the users 'primaryGroupID' attribute 
needs to contain the RID for 'Domain Users'.

Rowland