[Samba] winbind behavior question

d tbsky tbskyd at gmail.com
Mon Jul 23 09:19:07 UTC 2018

2018-07-23 17:02 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:
> On Mon, 23 Jul 2018 16:46:50 +0800
> d tbsky <tbskyd at gmail.com> wrote:
>> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba
>> <samba at lists.samba.org>:
>> >> >>>    idmap config SAMDOM:range = 1000-999999
>> >>    idmap config SAMDOM:unix_primary_group = yes
>> >
>> > That isn't a bug, it is a feature ;-)
>> > Before 4.6.0 everyone got 'Domain Users' as their primary Unix
>> > group, but from 4.6.0, you can give users a gidNumber attribute
>> > and, with the line above, this will be used for the users primary
>> > Unix group. Whatever gidNumber is used, this must point to a group
>> > i.e. the group must have the same gidNumber.
>> > If the line doesn't exist, it falls back to using Domain Users, so
>> > Domain Users must have a gidNUmber.
>> >
>> > Rowland
>> Hi:
>>     yes I like this feature and from now on I will use this feature.
>> but unfortunately the fall back (default setting) is not working.
>> I think it is a bug because " idmap config SAMDOM:unix_primary_group =
>> no" is not working as expected, although I will never use that again.
> That is the default setting and as such, the line doesn't need to be
> there unless you want/need to set it to 'yes'
> If it isn't set then Domain Users must have a gidNumber attribute
> containing a number inside the range set in smb.conf, in your case
> '1000-999999'
> If a gidNumber isn't set in the users object (again inside the range)
> and Domain users doesn't have a gidNumber, then all your users will be
> ignored.
> Rowland

   yes I know. if the users are ignored, they can not login. in my
case, all users can login, so I didn't notice the difference. until I
found "getent passwd" and "id xxxx"  are not working.

with "unix_primary_group =no", all users need to have a valid primary
group id. but maybe now there are new method to setup primary group id
I don't know. in old days we need to use windows ADUC or ldbmodify to
set up primary group id. or as you said, let  "domain users" has an
rfc2037 gid. they are working fine until recent 4.6/4.7

More information about the samba mailing list