[Samba] Use of gidNumber attribute in user entry

Rowland Penny rpenny at samba.org
Mon Nov 21 15:00:12 UTC 2016 

See inline comments:

On Mon, 21 Nov 2016 14:47:13 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:

> A few questions about Unix groups in Samba.
> 
> (1) "samba-tool user add" has an option to set --gid-number. However,
> I can't see that this attribute is ever used. Can someone confirm if
> this is true?

Not sure if it is ever really used, what I can say is, you do not need
it.

> 
>  From digging around previous mailing list postings (*), I surmise
> the following:
> 
> - the user's Unix primary gid is taken from their primary *Windows* 
> group (primaryGroupID, which points to the RID of a Windows group
> entry)

Correct

> 
> - the Windows primary group must have a gidNumber attribute,
> otherwise the user is not visible in Unix at all

Correct

> 
> - therefore the gidNumber attribute from the user entry appears to be 
> ignored. Is that right?

As I said, you do not need to add a gidNumber to a user, they are all
members of 'Domain Users', in fact, if this is changed, windows doesn't
like it.

> 
> (2) I can create a new Windows group using "samba-tool group add",
> but if I set the --gid-number for the group it rejects the request
> unless I also pass in a --nis-domain:

Correct

> 
>  > ERROR: Both --gid-number and --nis-domain have to be set for a 
> RFC2307-enabled group. Operation cancelled.
> 
> What value should I put for nis-domain? Just the workgroup name?
> AFAICS it ends up in the "msSFU30NisDomain" attribute but I don't
> know what this is used for, or why it's mandatory.

It was added because this is what ADUC does when adding Unix attributes.

> 
> (3) It's traditional in Unix circles to have a primary group per user 
> with the same name as the user, as this makes it feasible to use
> umask 0002 and easy file sharing.  Does this approach have to be
> abandoned when using AD/Samba as the user directory?

Yes, you cannot have a group with the same name as a user, so no user
private groups.

> 
> (4)  Is there a way to flush the winbind cache easily? When I make a 
> change to users/groups and they are not reflected on the client, I
> have resorted to
>      rm /var/lib/samba/*.tdb; service winbind restart
> but that seems rather gross.

run 'net cache flush'

> 
> Thanks,
> 
> Brian.
> 
> 
> (*) There is a posting here: 
> https://lists.samba.org/archive/samba/2010-October/159033.html
> 
> which points to a Samba page which no longer exists:
> 
> http://wiki.samba.org/index.php/Samba_&_Active_Directory
> 
> But apparently that page used to say:
> 
> "You must make sure that the primary group of the Unix users in the AD
> is also Unix enabled (with a GID) (A user whose primary group is not
> also a Unix group will not show up on Unix at all !) "
> 
> It also points to a thread from 2006:
> 
> https://lists.samba.org/archive/samba/2006-August/123711.html
> 

Things change ;-)

See:

https://wiki.samba.org/index.php/Idmap_config_ad#winbind_nss_info_.3D_rfc2307

Rowland

More information about the samba mailing list