[Samba] Use of gidNumber attribute in user entry
b.candler at pobox.com
Mon Nov 21 14:47:13 UTC 2016
A few questions about Unix groups in Samba.
(1) "samba-tool user add" has an option to set --gid-number. However, I
can't see that this attribute is ever used. Can someone confirm if this
From digging around previous mailing list postings (*), I surmise the
- the user's Unix primary gid is taken from their primary *Windows*
group (primaryGroupID, which points to the RID of a Windows group entry)
- the Windows primary group must have a gidNumber attribute, otherwise
the user is not visible in Unix at all
- therefore the gidNumber attribute from the user entry appears to be
ignored. Is that right?
(2) I can create a new Windows group using "samba-tool group add", but
if I set the --gid-number for the group it rejects the request unless I
also pass in a --nis-domain:
> ERROR: Both --gid-number and --nis-domain have to be set for a
RFC2307-enabled group. Operation cancelled.
What value should I put for nis-domain? Just the workgroup name? AFAICS
it ends up in the "msSFU30NisDomain" attribute but I don't know what
this is used for, or why it's mandatory.
(3) It's traditional in Unix circles to have a primary group per user
with the same name as the user, as this makes it feasible to use umask
0002 and easy file sharing. Does this approach have to be abandoned
when using AD/Samba as the user directory?
(4) Is there a way to flush the winbind cache easily? When I make a
change to users/groups and they are not reflected on the client, I have
rm /var/lib/samba/*.tdb; service winbind restart
but that seems rather gross.
(*) There is a posting here:
which points to a Samba page which no longer exists:
But apparently that page used to say:
"You must make sure that the primary group of the Unix users in the AD
is also Unix enabled (with a GID) (A user whose primary group is not
also a Unix group will not show up on Unix at all !) "
It also points to a thread from 2006:
More information about the samba