[Samba] Force set group id on samba domain member

Rowland Penny rpenny at samba.org
Wed Jul 25 07:19:34 UTC 2018 

On Wed, 25 Jul 2018 00:12:17 +0200
Michal <Michal67M at seznam.cz> wrote:

> 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Tue, 24 Jul 2018 22:50:16 +0200
> > Michal <Michal67M at seznam.cz> wrote:
> >
> > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > > <samba at lists.samba.org>:
> > > >
> > > > Do the users have a gidNumber attribute containing the
> > > > gidNumber of the required group and if so, is the gidNumber
> > > > inside the range set in smb.conf and is the version of Samba >=
> > > > 4.6.0
> > >
> > > su - amistest
> > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > > $ id
> > > uid=6603(NIS\amistest) gid=20(games)
> > > groups=20(games),513(NIS\domain
> > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > pacs_diagnostik),10001(BUILTIN\users)
> >
> > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is
> > a stupid name) range, but I think it shows something strange, if I
> > run 'id rowland' on a Unix domain member, I get:
> >
> 
>   Yes, I know, but the name came from "Nemocnicni Informacni System",
> which means "hospital information system" in Czech, many years ago..

I understand the problem, but have you ever heard of nis also known as
yellow pages or yp ;-)

> The user and group uid numbers  was taken from our hp-ux, which was
> primary source of users and groups when we started with LDAP. The gid
> of 20 is "users" in hp-ux.

and 'users' is generally '100' on Linux

>   And  it was inserted into AD from LDAP during  "samba
> classicupgrade".
> 

I am beginning to hate 'classicupgrade', yes it upgrades you to an AD
domain, but it keeps all the mistakes of the past.

> 
> >
> > uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> > users),102(netdev),1001(unixtest),10002(unixgroup),
> > 10010(group12),10024(unix
> > admins),10004(testgroup),10011(printeradmin),2001(
> > BUILTIN\users),2000(BUILTIN\administrators)
> >
> > My 'idmap config' lines are similar to yours, but, as you can see,
> > the users 'gid' is 'gid=10000(domain users)', yours is
> > 'gid=20(games)', how is this possible ? '20' is outside the
> > '100-9999' range.
> >
> 
>   I forgot we have gid 20 :-(

Yes, but why is it being shown ? and why is being shown as 'games' and
not 'users'.

what is in /etc/nsswitch.conf ?

> 
> 
> >
> > Do you have users & groups in AD and in /etc/passwd & /etc/group ?

You haven't answered this.

> >
> > What is the OS
> > What is the Active directory DC ?
> >
> >
>   It is linux, samba 4.8.3:

Yes, but what 'Linux' ?

> 
> [global]
>         netbios name = AD1
>         realm = UHN.NEMUH.CZ
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = NIS
>         idmap_ldb:use rfc2307 = yes
> 
> [netlogon]
>         path
> = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read only
> = No
> 
> [sysvol]
>         path = /usr/local/samba.ad/var/locks/sysvol
>         read only = No
> 
> 

Yes, that is a vanilla smb.conf for when you are using Bind9, so I
suppose the next question is, how have you set up Bind9 and what
version is it.

Rowland

More information about the samba mailing list