[Samba] Force set group id on samba domain member

Michal Michal67M at seznam.cz
Tue Jul 24 22:12:17 UTC 2018 

2018-07-24 23:26 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Tue, 24 Jul 2018 22:50:16 +0200
> Michal <Michal67M at seznam.cz> wrote:
>
> > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> > >
> > > Do the users have a gidNumber attribute containing the gidNumber of
> > > the required group and if so, is the gidNumber inside the range set
> > > in smb.conf and is the version of Samba >= 4.6.0
> >
> > su - amistest
> > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > $ id
> > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain
> > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> pacs_diagnostik),10001(BUILTIN\users)
>
> Your ranges are really wrong, '100-9999' for the 'NIS' (and this is a
> stupid name) range, but I think it shows something strange, if I run
> 'id rowland' on a Unix domain member, I get:
>

  Yes, I know, but the name came from "Nemocnicni Informacni System", which
means "hospital information system" in Czech, many years ago.. The user and
group uid numbers  was taken from our hp-ux, which was primary source of
users and groups when we started with LDAP. The gid of 20 is "users" in
hp-ux.
  And  it was inserted into AD from LDAP during  "samba classicupgrade".


>
> uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> users),102(netdev),1001(unixtest),10002(unixgroup),
> 10010(group12),10024(unix
> admins),10004(testgroup),10011(printeradmin),2001(
> BUILTIN\users),2000(BUILTIN\administrators)
>
> My 'idmap config' lines are similar to yours, but, as you can see, the
> users 'gid' is 'gid=10000(domain users)', yours is 'gid=20(games)', how
> is this possible ? '20' is outside the '100-9999' range.
>

  I forgot we have gid 20 :-(


>
> Do you have users & groups in AD and in /etc/passwd & /etc/group ?
>
> What is the OS
> What is the Active directory DC ?
>
>
  It is linux, samba 4.8.3:

[global]
        netbios name = AD1
        realm = UHN.NEMUH.CZ
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = NIS
        idmap_ldb:use rfc2307 = yes

[netlogon]
        path = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts
        read only = No

[sysvol]
        path = /usr/local/samba.ad/var/locks/sysvol
        read only = No


  Michal






> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list