[Samba] User management scripts in AD mode...

Marco Gaiarin gaio at sv.lnf.it
Mon Jul 10 14:58:41 UTC 2017

Mandi! Rowland Penny via samba
  In chel di` si favelave...

[As you are supposing, i'm back... sorry to all...]

> > > Hope this helps, but feel free to ask any questions.
> > I try to summarize:

> > a) as i supposed 'RFC2307 group membership' are totally ignored by
> >  samba, so i can use RFC2307 schema to associate UID to users and GID
> > to group, but the relation between UID and GID (eg, membership) in
> > UNIX are directly derivated by Windows membership only. Good.
> Correct

> > b) changing ''primary'' windows group from 'Domain Users' to other
> >  group are supported only by samba 4.6.0 and newer.
> Correct

> > c) (Windows) membership are expressed using 'member' in group object
> >  (full DN of the users) but also using 'primaryGroupID' in user object
> > (RID of the group; for b) above, primaryGroupID is ever '513').
> > d) in (Windows) membership, if a user have a primary group, the group
> >  does not have the relative full user DN in 'member'; again for b)
> > above, group 'Doamin Users' have no 'member' because all users have
> > primaryGroupID=513
> Every Windows domain users primary group is '513' (this is Domain
> Users), but is not shown anywhere else in AD. there are no 'member' or
> 'memberof' attributes anywhere that refer to members of Domain Users.
> It just relies on the 'primaryGroupID' attribute (which if your care to
> check, is set to 515 for computers)

OK. But ''generally'' (AD domains) speaking, and specifically for samba
 >= 4.6, i can modify 'primaryGroupID', or...

> > 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return
> >  all the memberships correctly i need to look for 'member' in groups
> > and 'primaryGroupID' in users; there's just an LDAP query about that?
> > Eg, a query that, given a group name/DN, return all users (as DN or
> > UID) that belong to that group?
> There is absolutely no need to search for the primaryGroupID of any AD
> user, it will always be '513' unless somebody has been stupid enough to
> change it, in which case they have broken the windows user.

you are speaking about a ''feature'' that are not practically used, and
so in AD domain all is supposing that useras have primaryGroupID as 513
and hosts/machines 515?!

Why samba support a feature that have not to be used?

> > If i'm right, i'have two question:

> > 1) a) work also for nested group, right? eg, if i've nested group, the
> >  windows<-UNIX mapping of memberships simply ''flatten'' the windows
> > membership in UNIX UID?
> If you add a group to a group, your Unix users will gain membership of
> the parent group, but the parent group must also have a gidNumber to be
> used on a Unix machine.

Obviously. Super clear.

> The easiest way to find out what groups a users is a member of is to
> search the users DN for 'memberOf', though this will only show what
> Windows groups the user is a member of. If you only want to find and
> display the Unix groups, you will then have to check each group a
> user is a member of, to see if it has a gidNumber attribute, you
> would then have to check if the group is also a member of another group
> and then check if this possible other group has a gidNumber and if this
> group is also a member of another group and so on. This could get
> complicated.

Ok. Thanks.

I add another question, lurking the list in these weeks. It seems to me
that some users/group does not to have UID/GID (i suppose generically
rfc2307 data) assigned.
Eg, looking also at your answer here, seems that Admnistrator it is
better not to have UID and only 'domain users' and 'domain computers'
need a UID.

After the migration with 'classicupgrade' i've:

 root at lupus:~# getent passwd | grep -i administrator
 root at lupus:~# getent group | egrep ":5[0-9][0-9]:"
 domain computers:*:515:
 domain admins:*:512:gaio,amaronese,lucaf
 domain guests:*:514:
 domain users:*:513:amaronese,gaio

i need to remove GID for domain admins and domain guests?


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list