[Samba] winbind idmap_ad rfc2037 can't read UIdnumber
Rowland penny
rpenny at samba.org
Tue Jul 5 17:40:31 UTC 2016
On 05/07/16 17:56, Raphaƫl RIGNIER wrote:
> The strange behavior is the different output between group object and
> user object
>
> and
> net ads search -U administrator
> net ads search -P
>
> in Samba Wiki, primarygroupid refers to the one for User's "Unix
> Attributes" tab. Which is in fact GidNumber. (I have made tests to
> check this)
> The primaryGroupID attribute refers to Posix primary Group in user's
> "member of" tab. Which is a conversion from SID. Both are different
> numbers but points to same group.
> I find this quite confusing
Sorry, but that doesn't answer the question, have you changed the users
'PrimaryGroupID' attribute
If I do this:
rowland at devstation:$ ldbsearch -H ldap://dc1 -b
'cn=Users,dc=samdom,dc=example,dc=com' -s sub
'(&(objectclass=user)(samaccountname=rowland))' primaryGroupID -U
Administrator
Password for [SAMDOM\Administrator]:
# record 1
dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
primaryGroupID: 513
# returned 1 records
# 1 entries
# 0 referrals
Which, as you can see, shows that my 'primaryGroupID' is set to '513',
this is what it should be, this is the RID for 'Domain Users'
So if you run the command (making obvious changes for your setup), what
do you get ?
To get winbind to return users when using the 'ad' backend, each user
needs to have a 'uidNumber' containing a unique number inside the range
set in smb.conf. You also need to give 'Domain Users' a 'gidNumber'
attribute containing a number inside the range set in smb.conf, this
number can be the same as a user, but must be unique amongst groups.
From this, I hope you can see that the users 'primaryGroupID' attribute
needs to contain the RID for 'Domain Users'.
Rowland
More information about the samba
mailing list