[Samba] Force set group id on samba domain member
rpenny at samba.org
Wed Jul 25 07:19:34 UTC 2018
On Wed, 25 Jul 2018 00:12:17 +0200
Michal <Michal67M at seznam.cz> wrote:
> 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> > On Tue, 24 Jul 2018 22:50:16 +0200
> > Michal <Michal67M at seznam.cz> wrote:
> > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > > <samba at lists.samba.org>:
> > > >
> > > > Do the users have a gidNumber attribute containing the
> > > > gidNumber of the required group and if so, is the gidNumber
> > > > inside the range set in smb.conf and is the version of Samba >=
> > > > 4.6.0
> > >
> > > su - amistest
> > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > > $ id
> > > uid=6603(NIS\amistest) gid=20(games)
> > > groups=20(games),513(NIS\domain
> > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > pacs_diagnostik),10001(BUILTIN\users)
> > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is
> > a stupid name) range, but I think it shows something strange, if I
> > run 'id rowland' on a Unix domain member, I get:
> Yes, I know, but the name came from "Nemocnicni Informacni System",
> which means "hospital information system" in Czech, many years ago..
I understand the problem, but have you ever heard of nis also known as
yellow pages or yp ;-)
> The user and group uid numbers was taken from our hp-ux, which was
> primary source of users and groups when we started with LDAP. The gid
> of 20 is "users" in hp-ux.
and 'users' is generally '100' on Linux
> And it was inserted into AD from LDAP during "samba
I am beginning to hate 'classicupgrade', yes it upgrades you to an AD
domain, but it keeps all the mistakes of the past.
> > uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> > users),102(netdev),1001(unixtest),10002(unixgroup),
> > 10010(group12),10024(unix
> > admins),10004(testgroup),10011(printeradmin),2001(
> > BUILTIN\users),2000(BUILTIN\administrators)
> > My 'idmap config' lines are similar to yours, but, as you can see,
> > the users 'gid' is 'gid=10000(domain users)', yours is
> > 'gid=20(games)', how is this possible ? '20' is outside the
> > '100-9999' range.
> I forgot we have gid 20 :-(
Yes, but why is it being shown ? and why is being shown as 'games' and
what is in /etc/nsswitch.conf ?
> > Do you have users & groups in AD and in /etc/passwd & /etc/group ?
You haven't answered this.
> > What is the OS
> > What is the Active directory DC ?
> It is linux, samba 4.8.3:
Yes, but what 'Linux' ?
> netbios name = AD1
> realm = UHN.NEMUH.CZ
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = NIS
> idmap_ldb:use rfc2307 = yes
> = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read only
> = No
> path = /usr/local/samba.ad/var/locks/sysvol
> read only = No
Yes, that is a vanilla smb.conf for when you are using Bind9, so I
suppose the next question is, how have you set up Bind9 and what
version is it.
More information about the samba