[Samba] winbind behavior question

Rowland Penny rpenny at samba.org
Mon Jul 23 10:01:28 UTC 2018


On Mon, 23 Jul 2018 17:19:07 +0800
d tbsky <tbskyd at gmail.com> wrote:

> 2018-07-23 17:02 GMT+08:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> > On Mon, 23 Jul 2018 16:46:50 +0800
> > d tbsky <tbskyd at gmail.com> wrote:
> >
> >> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba
> >> <samba at lists.samba.org>:
> >
> >
> >> >> >>>    idmap config SAMDOM:range = 1000-999999
> >
> >> >>    idmap config SAMDOM:unix_primary_group = yes
> >> >
> >> > That isn't a bug, it is a feature ;-)
> >> > Before 4.6.0 everyone got 'Domain Users' as their primary Unix
> >> > group, but from 4.6.0, you can give users a gidNumber attribute
> >> > and, with the line above, this will be used for the users primary
> >> > Unix group. Whatever gidNumber is used, this must point to a
> >> > group i.e. the group must have the same gidNumber.
> >> > If the line doesn't exist, it falls back to using Domain Users,
> >> > so Domain Users must have a gidNUmber.
> >> >
> >> > Rowland
> >>
> >> Hi:
> >>     yes I like this feature and from now on I will use this
> >> feature. but unfortunately the fall back (default setting) is not
> >> working. I think it is a bug because " idmap config
> >> SAMDOM:unix_primary_group = no" is not working as expected,
> >> although I will never use that again.
> >
> > That is the default setting and as such, the line doesn't need to be
> > there unless you want/need to set it to 'yes'
> > If it isn't set then Domain Users must have a gidNumber attribute
> > containing a number inside the range set in smb.conf, in your case
> > '1000-999999'
> > If a gidNumber isn't set in the users object (again inside the
> > range) and Domain users doesn't have a gidNumber, then all your
> > users will be ignored.
> >
> > Rowland
> 
> Hi:
>    yes I know. if the users are ignored, they can not login. in my
> case, all users can login, so I didn't notice the difference. 

When I said 'ignored', I should have said 'ignored by Unix', if your
users are logging into Windows, then they are not using the uidNumber &
gidNumber attributes, they are using the objectSid & primaryGroupID
attributes.

>until I
> found "getent passwd" and "id xxxx"  are not working.

They are the ones that rely on the uidNumber and gidNumber or
primaryGroupID attributes.

> 
> with "unix_primary_group =no", all users need to have a valid primary
> group id. 

No, ALL users (Unix or Windows) rely on the primaryGroupID attribute
and this MUST be set to '513', if you change this, you break AD.
Before 4.6.0, Unix users relied on Domain Users having a gidNumber,
from 4.6.0, you can override this by giving a group a gidNumber and
using this gidNumber for the users.
NOTE: you can use different groups for different users.

> but maybe now there are new method to setup primary group
> id I don't know. in old days we need to use windows ADUC or ldbmodify
> to set up primary group id.

If, as it sounds, you were altering the users primaryGroupID attribute,
then you should not have been doing this, because Windows expects every
user to be a member of Domain Users.

> or as you said, let  "domain users" has
> an rfc2037 gid. they are working fine until recent 4.6/4.7

It still works for me, it sounds like you were doing something you
shouldn't.
 
Rowland



More information about the samba mailing list