[Samba] Force set group id on samba domain member

Rowland Penny rpenny at samba.org
Wed Jul 25 19:44:34 UTC 2018


On Wed, 25 Jul 2018 21:30:36 +0200
Michal <Michal67M at seznam.cz> wrote:

> 2018-07-25 18:47 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Wed, 25 Jul 2018 07:09:39 +0200
> > Michal <Michal67M at seznam.cz> wrote:
> >
> > > 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba
> > > <samba at lists.samba.org>:
> > >
> > > > On Tue, 24 Jul 2018 22:50:16 +0200
> > > > Michal <Michal67M at seznam.cz> wrote:
> > > >
> > > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > > > > <samba at lists.samba.org>:
> > > > > >
> > > > > > Do the users have a gidNumber attribute containing the
> > > > > > gidNumber of the required group and if so, is the gidNumber
> > > > > > inside the range set in smb.conf and is the version of
> > > > > > Samba >= 4.6.0
> > > > >
> > > > > su - amistest
> > > > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > > > > $ id
> > > > > uid=6603(NIS\amistest) gid=20(games)
> > > > > groups=20(games),513(NIS\domain
> > > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > > > pacs_diagnostik),10001(BUILTIN\users)
> > > >
> > > > Your ranges are really wrong, '100-9999' for the 'NIS' (and
> > > > this is a stupid name) range, but I think it shows something
> > > > strange, if I run 'id rowland' on a Unix domain member, I get:
> > > >
> > > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> > > > users),102(netdev),1001(unixtest),10002(unixgroup),
> > > > 10010(group12),10024(unix
> > > > admins),10004(testgroup),10011(printeradmin),2001(
> > > > BUILTIN\users),2000(BUILTIN\administrators)
> > > >
> > > > My 'idmap config' lines are similar to yours, but, as you can
> > > > see, the users 'gid' is 'gid=10000(domain users)', yours is
> > > > 'gid=20(games)', how is this possible ? '20' is outside the
> > > > '100-9999' range.
> > > >
> > >
> > > I believe I can change primary group of all (normal, not admin)
> > > users to "domain users" in AD and I can delete group 20, but I
> > > would not expect this helps with the problem.
> > >
> > > Michal
> > >
> > >
> > >
> > > >
> > > > Do you have users & groups in AD and in /etc/passwd
> > > > & /etc/group ?
> >
> > You have never answered the above question and until you do, I
> > cannot offer further help.
> >
> >
> Well I do not understand the question.. Of course I have users and
> groups both in AD and in system files... There are OS specific users
> and groups in the system files  and  there are AD users and groups in
> AD.  AD users and groups are not in the system files.
> 

OK, lets try this, on a Linux machine, 0-999 is reserved for system
users & groups, 1000 upwards is for normal users and groups. You then
have users & groups in AD, these have RID's that start at 1000 (but you
can ignore the RID's as far as Unix goes), to make the AD users and
groups known to AD, you have to add uidNumber & gidNumber attributes.

So, what I was trying to get at was:
Do you have any users or groups that are in /etc/passwd or /etc/group
that are also in AD ? 
e.g. is user 'fred' also in AD ?

Rowland




More information about the samba mailing list