[Samba] Domain member server: user access

Rowland Penny rpenny at samba.org
Tue Oct 10 14:25:08 UTC 2017

On Tue, 10 Oct 2017 15:54:45 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba:
> > On Tue, 10 Oct 2017 09:19:11 +0200
> > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:
> >>
> >> The admin there created a group via RSAT.
> >> And that group was not visible/usable on the DM server.
> > 
> > It wouldn't be if the group was created as just a windows group.
> How to create the group as unix group via RSAT?
> By adding the gidNumber, right?


> As asked before: do I have to keep track of the next free gidNumber
> myself? I assume there is some cool grep to read the highest used xid
> from LDAP or so ... ?

If you are using RSAT with the Unix Attributes tab it should create a
couple of extra attributes here:


Where 'samdom' will be your workgroup and 'DC=samdom,DC=example,DC=com'
is your suffix.

The attributes are:


and they contain the next Uid & Gid to use.

These attributes are only used by the Unix Attributes tab on RSAT, but
there is nothing stopping you writing a script to use them (hint, hint)

> >> Until here there was no decision for a uidNumber or gidNumber.
> >> He did not set one via RSAT. Does he have to do that?
> > 
> > On a DC, group will be given an xidNumber and if the libnss_winbind
> > links are set up, this will be used, but only on that DC
> > 
> > On a Unix domain member, it is different, the xidNumber will not be
> > used, because it isn't available.
> > You have two main options, use the winbind 'rid' backend, with this,
> > provided you use the same smb.conf on all Unix domain members, you
> > will get the required UIDs & GIDs without adding anything to AD.
> > There is a 'gotcha' though, you will have to use the template lines
> > in smb.conf for user shell & home dirs. Your users and groups would
> > also have different IDs on the DC.
> > If you want to have the same IDs everywhere, you will have to use
> > the winbind 'ad' backend and give your users & groups uidNumber and
> > gidNumber attributes, you will also be able to use the other RFC2307
> > attributes.
> > 
> > Whichever winbind backend you use on the Unix domain members, you
> > will also have to set up the libnss_winbind links. 
> OK, I think I understand.
> We use backend "ad" on the DM and the DM has
> /usr/lib64/libnss_winbind.so* and
> # grep winbind /etc/nsswitch.conf
> passwd:      compat winbind
> group:       compat winbind
> This is what you point me at, right?

Yes, but you also need PAM


More information about the samba mailing list