[Samba] Use of gidNumber attribute in user entry

mathias dufresne infractory at gmail.com
Mon Nov 21 16:40:49 UTC 2016


2016-11-21 16:00 GMT+01:00 Rowland Penny via samba <samba at lists.samba.org>:

>
> See inline comments:
>
> On Mon, 21 Nov 2016 14:47:13 +0000
> Brian Candler via samba <samba at lists.samba.org> wrote:
>
> > A few questions about Unix groups in Samba.
> >
> > (1) "samba-tool user add" has an option to set --gid-number. However,
> > I can't see that this attribute is ever used. Can someone confirm if
> > this is true?
>
> Not sure if it is ever really used, what I can say is, you do not need
> it.
>

It is used when you are using which use it. Just an example: SSSD is
configurable and you can tell that specific tool to use any LDAP attribute
to set LINUX/UNIX users' primary group.
This options should set in your user objects the field named gidNumber. I
believe RFC2307 tells that gidNumber is default field for UNIX primary
group.

Winbind does not use field gidNumber to fill UNIX primary group but use
primaryGroupID which is in fact Windows primary group (ie: domain users by
default). This difference is because Samba and Winbind are mainly meant to
server Windows, not UNIX/Linux (just run on them).


>
> >  From digging around previous mailing list postings (*), I surmise
> > the following:
> >
> > - the user's Unix primary gid is taken from their primary *Windows*
> > group (primaryGroupID, which points to the RID of a Windows group
> > entry)
>
> Correct
>
> >
> > - the Windows primary group must have a gidNumber attribute,
> > otherwise the user is not visible in Unix at all
>
> Correct
>
> >
> > - therefore the gidNumber attribute from the user entry appears to be
> > ignored. Is that right?
>
> As I said, you do not need to add a gidNumber to a user, they are all
> members of 'Domain Users', in fact, if this is changed, windows doesn't
> like it.
>

Ignored by Winbind[d].


>
> >
> > (2) I can create a new Windows group using "samba-tool group add",
> > but if I set the --gid-number for the group it rejects the request
> > unless I also pass in a --nis-domain:
>
> Correct
>

>
> >  > ERROR: Both --gid-number and --nis-domain have to be set for a
> > RFC2307-enabled group. Operation cancelled.
> >
> > What value should I put for nis-domain? Just the workgroup name?
> > AFAICS it ends up in the "msSFU30NisDomain" attribute but I don't
> > know what this is used for, or why it's mandatory.
>
> It was added because this is what ADUC does when adding Unix attributes.
>

Microsoft AD emulates NIS+ (ex Yellow Pages). NIS are organised in domains.
For that they added some update of their LDAP schema (which should be
called msSFU3x).
msSFU30 + NIS + Domain => msSFU30NisDomain :)

That's the UNIX way to named the domain. These NIS domain are to get AD
user on UNIX (and Linux) platforms.


>
> >
> > (3) It's traditional in Unix circles to have a primary group per user
> > with the same name as the user, as this makes it feasible to use
> > umask 0002 and easy file sharing.  Does this approach have to be
> > abandoned when using AD/Samba as the user directory?
>
> Yes, you cannot have a group with the same name as a user, so no user
> private groups.
>

sAMAccountName must be unique in AD and users, groups and computer have all
a sAMAccountName. This field is limited to 20 characters, not in LDAP but
in Windows, when Windows system has to use that field, if it is more than
20 characters Windows gives an error message.


>
> >
> > (4)  Is there a way to flush the winbind cache easily? When I make a
> > change to users/groups and they are not reflected on the client, I
> > have resorted to
> >      rm /var/lib/samba/*.tdb; service winbind restart
> > but that seems rather gross.
>
> run 'net cache flush'
>
> >
> > Thanks,
> >
> > Brian.
> >
> >
> > (*) There is a posting here:
> > https://lists.samba.org/archive/samba/2010-October/159033.html
> >
> > which points to a Samba page which no longer exists:
> >
> > http://wiki.samba.org/index.php/Samba_&_Active_Directory
> >
> > But apparently that page used to say:
> >
> > "You must make sure that the primary group of the Unix users in the AD
> > is also Unix enabled (with a GID) (A user whose primary group is not
> > also a Unix group will not show up on Unix at all !) "
> >
> > It also points to a thread from 2006:
> >
> > https://lists.samba.org/archive/samba/2006-August/123711.html
> >
>
> Things change ;-)
>
> See:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#winbind_
> nss_info_.3D_rfc2307
>
> Rowland
>
> --
>


More information about the samba mailing list