[Samba] Use of gidNumber attribute in user entry
rpenny at samba.org
Mon Nov 21 15:00:12 UTC 2016
See inline comments:
On Mon, 21 Nov 2016 14:47:13 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> A few questions about Unix groups in Samba.
> (1) "samba-tool user add" has an option to set --gid-number. However,
> I can't see that this attribute is ever used. Can someone confirm if
> this is true?
Not sure if it is ever really used, what I can say is, you do not need
> From digging around previous mailing list postings (*), I surmise
> the following:
> - the user's Unix primary gid is taken from their primary *Windows*
> group (primaryGroupID, which points to the RID of a Windows group
> - the Windows primary group must have a gidNumber attribute,
> otherwise the user is not visible in Unix at all
> - therefore the gidNumber attribute from the user entry appears to be
> ignored. Is that right?
As I said, you do not need to add a gidNumber to a user, they are all
members of 'Domain Users', in fact, if this is changed, windows doesn't
> (2) I can create a new Windows group using "samba-tool group add",
> but if I set the --gid-number for the group it rejects the request
> unless I also pass in a --nis-domain:
> > ERROR: Both --gid-number and --nis-domain have to be set for a
> RFC2307-enabled group. Operation cancelled.
> What value should I put for nis-domain? Just the workgroup name?
> AFAICS it ends up in the "msSFU30NisDomain" attribute but I don't
> know what this is used for, or why it's mandatory.
It was added because this is what ADUC does when adding Unix attributes.
> (3) It's traditional in Unix circles to have a primary group per user
> with the same name as the user, as this makes it feasible to use
> umask 0002 and easy file sharing. Does this approach have to be
> abandoned when using AD/Samba as the user directory?
Yes, you cannot have a group with the same name as a user, so no user
> (4) Is there a way to flush the winbind cache easily? When I make a
> change to users/groups and they are not reflected on the client, I
> have resorted to
> rm /var/lib/samba/*.tdb; service winbind restart
> but that seems rather gross.
run 'net cache flush'
> (*) There is a posting here:
> which points to a Samba page which no longer exists:
> But apparently that page used to say:
> "You must make sure that the primary group of the Unix users in the AD
> is also Unix enabled (with a GID) (A user whose primary group is not
> also a Unix group will not show up on Unix at all !) "
> It also points to a thread from 2006:
Things change ;-)
More information about the samba