[Samba] Use of gidNumber attribute in user entry

Brian Candler b.candler at pobox.com
Mon Nov 21 14:47:13 UTC 2016

A few questions about Unix groups in Samba.

(1) "samba-tool user add" has an option to set --gid-number. However, I 
can't see that this attribute is ever used. Can someone confirm if this 
is true?

 From digging around previous mailing list postings (*), I surmise the 

- the user's Unix primary gid is taken from their primary *Windows* 
group (primaryGroupID, which points to the RID of a Windows group entry)

- the Windows primary group must have a gidNumber attribute, otherwise 
the user is not visible in Unix at all

- therefore the gidNumber attribute from the user entry appears to be 
ignored. Is that right?

(2) I can create a new Windows group using "samba-tool group add", but 
if I set the --gid-number for the group it rejects the request unless I 
also pass in a --nis-domain:

 > ERROR: Both --gid-number and --nis-domain have to be set for a 
RFC2307-enabled group. Operation cancelled.

What value should I put for nis-domain? Just the workgroup name? AFAICS 
it ends up in the "msSFU30NisDomain" attribute but I don't know what 
this is used for, or why it's mandatory.

(3) It's traditional in Unix circles to have a primary group per user 
with the same name as the user, as this makes it feasible to use umask 
0002 and easy file sharing.  Does this approach have to be abandoned 
when using AD/Samba as the user directory?

(4)  Is there a way to flush the winbind cache easily? When I make a 
change to users/groups and they are not reflected on the client, I have 
resorted to
     rm /var/lib/samba/*.tdb; service winbind restart
but that seems rather gross.



(*) There is a posting here: 

which points to a Samba page which no longer exists:


But apparently that page used to say:

"You must make sure that the primary group of the Unix users in the AD
is also Unix enabled (with a GID) (A user whose primary group is not
also a Unix group will not show up on Unix at all !) "

It also points to a thread from 2006:


More information about the samba mailing list