[Samba] User management scripts in AD mode...

Marco Gaiarin gaio at sv.lnf.it
Wed Jul 12 11:05:06 UTC 2017

Mandi! Rowland Penny via samba
  In chel di` si favelave...

Sorry, without requoting all, i jump back to some old question. You

> The easiest way to find out what groups a users is a member of is to
> search the users DN for 'memberOf', though this will only show what
> Windows groups the user is a member of.

Seems to me that an equal easy mode is to look, in groups, to 'member',
that contain the full DN of the user.

'member' in group and 'memberOf' in users are 'keeped in sync' by
Samba/AD? Eg, contain the same info?

Or looking at ' member' in group i lost the nested group memberships?

Also, sorry, but still i don't understand: 'primaryGroupID' is a
''feature'' that are ''misused'' in AD domains, or is a limitation of
Samba implementation?
I want to write LDAP query as generic as possible, so knowing that...

> >  domain computers:*:515:
> The above group doesn't really need a gidNumber, it is only used by AD.


> >  domain admins:*:512:gaio,amaronese,lucaf
> Ah here is possible problem, if you give 'Domain Admins' a gidNumber,
> it just becomes a group as far as Unix is concerned, but 'Domain
> Admins' needs to be a user as well to own dirs in sysvol, this is what
> happens on a DC if 'Domain Admins doesn't have a gidNumber.

Ok. I make a note that i've not added 'gidNumber' by miself, but
'classigupgrade' do that.

> >  domain guests:*:514:
> This shouldn't have a gidNumber either, it is again mapped on a DC (and
> a Unix domain member by winbind)

OK. So this is another source of trouble, if i use sssd? Eg, winbind
will map correctly domain guests and sssd no?

> >  domain users:*:513:amaronese,gaio
> It is perfectly okay to give 'Domain Users' a gidNumber


> The main problem with the above gidNumbers is that they are all in the
> '500' range. Somebody, sometime in the past thought this was okay, Now,
> with hindsight, it has proved to be a bad idea ;-)

Eh... the 'legacy' troubles... ;)

> Using such low numbers means that you cannot have ANY local Unix users. 

Why?! Debian reserve uid/gid 0-1000 for ''system account', but really
use little few of that.
I've simply 'submapped' windows well known SID to '5XX' uid/gid, for a
obvious reason (keeping the RID equal to UID/GID).

Sorry but i don't understand...


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list