[Samba] winbind idmap_ad rfc2037 can't read UIdnumber

Raphaël RIGNIER r.rignier at leschartreux.net
Tue Jul 5 17:53:20 UTC 2016 

Le 05/07/2016 à 19:40, Rowland penny a écrit :
> On 05/07/16 17:56, Raphaël RIGNIER wrote:
>> The strange behavior is the different output between group object and 
>> user object
>>
>> and
>> net ads search -U administrator
>> net ads search -P
>>
>> in Samba Wiki, primarygroupid refers to the one for User's "Unix 
>> Attributes" tab. Which is in fact GidNumber. (I have made tests to 
>> check this)
>> The primaryGroupID attribute refers to Posix primary Group in user's 
>> "member of" tab. Which is a conversion from SID. Both are different 
>> numbers but points to same group.
>> I find this quite confusing
>
> Sorry, but that doesn't answer the question, have you changed the 
> users 'PrimaryGroupID' attribute
>
> If I do this:
>
> rowland at devstation:$ ldbsearch -H ldap://dc1 -b 
> 'cn=Users,dc=samdom,dc=example,dc=com' -s sub 
> '(&(objectclass=user)(samaccountname=rowland))' primaryGroupID -U 
> Administrator
> Password for [SAMDOM\Administrator]:
> # record 1
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> primaryGroupID: 513
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
> Which, as you can see, shows that my 'primaryGroupID' is set to '513', 
> this is what it should be, this is the RID for 'Domain Users'
>
> So if you run the command (making obvious changes for your setup), 
> what do you get ?
>
> To get winbind to return users when using the 'ad' backend, each user 
> needs to have a 'uidNumber' containing a unique number inside the 
> range set in smb.conf. You also need to give 'Domain Users' a 
> 'gidNumber' attribute containing a number inside the range set in 
> smb.conf, this number can be the same as a user, but must be unique 
> amongst groups.
>
> From this, I hope you can see that the users 'primaryGroupID' 
> attribute needs to contain the RID for 'Domain Users'.
>
> Rowland
>
>
Sorry. Here is the result

ldbsearch -H ldap://10.11.1.3 -b "OU=USERS,DC=ADDOMAIN,DC=com" -s sub 
'(samaccountname=b.btstest)' primarygroupID -U administrator
Password for [ADDOMAIN\rignier]:
# record 1
dn: CN=BTSTEST B,OU=info2,OU=USERS,DC=ADDOMAIN,DC=com
primaryGroupID: 513

# returned 1 records
# 1 entries
# 0 referrals

My PrimaryGroupID is indeed 513. I have tried the 'info2' RID, without 
more success so back to 513.

More information about the samba mailing list