[Samba] Fwd: Force set group id on samba domain member

Michal Michal67M at seznam.cz
Wed Jul 25 21:25:05 UTC 2018 

2018-07-25 22:57 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Wed, 25 Jul 2018 22:40:25 +0200
> Michal via samba <samba at lists.samba.org> wrote:
>
> > ---------- Forwarded message ----------
> > From: Majkl Majkl <themajklthe at gmail.com>
> > Date: 2018-07-25 22:28 GMT+02:00
> > Subject: Re: [Samba] Force set group id on samba domain member
> > To: Rowland Penny <rpenny at samba.org>
> > Cc: "samba at lists.samba.org" <samba at lists.samba.org>
> >
> >
> > 2018-07-25 9:19 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Wed, 25 Jul 2018 00:12:17 +0200
> > > Michal <Michal67M at seznam.cz> wrote:
> > >
> > > > 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba
> > > > <samba at lists.samba.org>:
> > > >
> > > > > On Tue, 24 Jul 2018 22:50:16 +0200
> > > > > Michal <Michal67M at seznam.cz> wrote:
> > > > >
> > > > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > > > > > <samba at lists.samba.org>:
> > > > > > >
> > > > > > > Do the users have a gidNumber attribute containing the
> > > > > > > gidNumber of the required group and if so, is the gidNumber
> > > > > > > inside the range set in smb.conf and is the version of
> > > > > > > Samba >= 4.6.0
> > > > > >
> > > > > > su - amistest
> > > > > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > > > > > $ id
> > > > > > uid=6603(NIS\amistest) gid=20(games)
> > > > > > groups=20(games),513(NIS\domain
> > > > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > > > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > > > > pacs_diagnostik),10001(BUILTIN\users)
> > > > >
> > > > > Your ranges are really wrong, '100-9999' for the 'NIS' (and
> > > > > this is a stupid name) range, but I think it shows something
> > > > > strange, if I run 'id rowland' on a Unix domain member, I get:
> > > > >
> > > >
> > > >   Yes, I know, but the name came from "Nemocnicni Informacni
> > > > System", which means "hospital information system" in Czech, many
> > > > years ago..
> > >
> > > I understand the problem, but have you ever heard of nis also known
> > > as yellow pages or yp ;-)
> > >
> >
> >  Yes.. That's why I agree it is a stupid name for domain :-) But we
> > have been using the abbreviation for about 25 years, many years
> > before than I found there exists something like NIS/YP :-) Bad luck.
> > Yes, it is confusing for an IT people, but users do not care and they
> > are used to it.
> >
> >
> > > > The user and group uid numbers  was taken from our hp-ux, which
> > > > was primary source of users and groups when we started with LDAP.
> > > > The gid of 20 is "users" in hp-ux.
> > >
> > > and 'users' is generally '100' on Linux
> > >
> > > >   And  it was inserted into AD from LDAP during  "samba
> > > > classicupgrade".
> > > >
> > >
> > > I am beginning to hate 'classicupgrade', yes it upgrades you to an
> > > AD domain, but it keeps all the mistakes of the past.
> > >
> > >
> > Maybe more checks or options to classicupgrade process would prevent
> > keeping such mistakes?
> >
> >
> > >
> > > >
> > > > >
> > > > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> > > > > users),102(netdev),1001(unixtest),10002(unixgroup),
> > > > > 10010(group12),10024(unix
> > > > > admins),10004(testgroup),10011(printeradmin),2001(
> > > > > BUILTIN\users),2000(BUILTIN\administrators)
> > > > >
> > > > > My 'idmap config' lines are similar to yours, but, as you can
> > > > > see, the users 'gid' is 'gid=10000(domain users)', yours is
> > > > > 'gid=20(games)', how is this possible ? '20' is outside the
> > > > > '100-9999' range.
> > > > >
> > > >
> > > >   I forgot we have gid 20 :-(
> > >
> > > Yes, but why is it being shown ? and why is being shown as 'games'
> > > and not 'users'.
> > >
> > > what is in /etc/nsswitch.conf ?
> > >
> >
> > Because of
> > passwd:   files winbind
> > group:    files winbind
> >
> > in nsswitch.conf   (I believe I followed samba wiki)
> >
> > and there is games:20 in /etc/group
> >
> > I am talking about Linux DM (fileserver) configuration now, it is NOT
> > nsswitch.conf on AD DC.
> >
> > But as I have said, there is no real need for users in AD to have
> > primary group of 20, I can change it to "Domain users", if it helps.
> > (Ok, in this case, the next question will be how to do it for one
> > user from command line, because I have 1000+ users, so no GUI mouse
> > clicking action wanted.)
> >
> >
> > >
> > > >
> > > >
> > > > >
> > > > > Do you have users & groups in AD and in /etc/passwd
> > > > > & /etc/group ?
> > >
> > > You haven't answered this.
> > >
> >
> > (Sorry, answered this in separate post too, ignore the answer there,
> > please.)
>
> >
> > >OK, lets try this, on a Linux machine, 0-999 is reserved for system
> > >users & groups, 1000 upwards is for normal users and groups. You then
> > >have users & groups in AD, these have RID's that start at 1000 (but
> > >you can ignore the RID's as far as Unix goes), to make the AD users
> > >and groups known to AD, you have to add uidNumber & gidNumber
> > >attributes.
> >
> >  All our AD users have both uidNumbers and gidNumbers according to our
> > hp-ux unix. Users had been created on hp-ux primary. History and long
> > story.
> >
> > >
> > >So, what I was trying to get at was:
> > >Do you have any users or groups that are in /etc/passwd or /etc/group
> > >that are also in AD ?
> > >e.g. is user 'fred' also in AD ?
> >
> > I am not sure for 100%, because I have not checked local passwd vs AD
> > user unix attributes, but AFAIK domain users' idnumbers and usernames
> > are only in AD. They should be only in AD, I do not have intent to
> > have AD users in local system  files.
> >
> >
> >
> > > > >
> > > > > What is the OS
> > > > > What is the Active directory DC ?
> > > > >
> > > > >
> > > >   It is linux, samba 4.8.3:
> > >
> > > Yes, but what 'Linux' ?
> > >
> > >
> > [root at ad1 ~]# uname -a
> > Linux ad1 3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC
> > 2018 x86_64 x86_64 x86_64 GNU/Linux
> > [root at ad1 ~]# cat /etc/centos-release
> > CentOS Linux release 7.5.1804 (Core)
> >
> > [root at samba4 ~]# uname -a
> > Linux samba4 3.10.0-862.6.3.el7.x86_64 #1 SMP Tue Jun 26 16:32:21 UTC
> > 2018 x86_64 x86_64 x86_64 GNU/Linux
> > [root at samba4 ~]# cat /etc/centos-release
> > CentOS Linux release 7.5.1804 (Core)
> >
> > Both AD DC (ad1) and DM (samba4) are identical OS. in a fact, I
> > created both of them from template in our vmware and I did not bother
> > what Centos version it is. I did not think it might matter.
> >
> >
> > > >
> > > > [global]
> > > >         netbios name = AD1
> > > >         realm = UHN.NEMUH.CZ
> > > >         server role = active directory domain controller
> > > >         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> > > > drepl, winbindd, ntp_signd, kcc, dnsupdate
> > > >         workgroup = NIS
> > > >         idmap_ldb:use rfc2307 = yes
> > > >
> > > > [netlogon]
> > > >         path
> > > > = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read
> > > > only = No
> > > >
> > > > [sysvol]
> > > >         path = /usr/local/samba.ad/var/locks/sysvol
> > > >         read only = No
> > > >
> > > >
> > >
> > > Yes, that is a vanilla smb.conf for when you are using Bind9, so I
> > > suppose the next question is, how have you set up Bind9 and what
> > > version is it.
> > >
> > >
> > Yes, I believe I copied it from samba wiki and I did my best to
> > follow it (samba wiki) also in bind configuration. DNS resolving
> > seems to be working and newly added machines are inserted into AD DNS
> > zone.
> >
> > bind.x86_64
> > 32:9.9.4-61.el7                   @base
> >
> > Thank you very much for your interest and patience, really :-)
> >
> > Michal
> >
> >
> >
> > > Rowland
> > >
> > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
> > >
>
> I am getting a bit confused here, two people seem to be responding, but
> I get the feeling they are the same person. If so, can you stick to one
> email address and username please ;-)
>

I am sorry, I am responding from google mail for a few days, because it
came to me seznam,cz mail formating of replies makes posts unreadable.
I have another mail account set here at google, but I should not forget to
change From: address. And I forget to do this sometimes :-)


>
> Let me ask me question re /etc/passwd & /etc/group and AD in another
> way. Do you have the same ID numbers in /etc/passwd & /etc/group in AD
> as uidNumber & gidNumber attributes ?
>

I will check it tomorrow but I hope the gid 20 is only one id which
collides. If there are duplicate ids, I will make them unique (somehow).
They should not be the same.


>
> I am trying to understand how the user you referenced with 'id' had the
> primary group '20' when the DOMAIN range you have in smb.conf starts at
> '100', this very fact is hard to understand because winbind should
> ignore everything outside the range.
>


I do not know If I get what you mean..

# su - amistest
Last login: Tue Jul 24 22:48:18 CEST 2018 on pts/4
-bash-4.2$ id
uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain
users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\pacs_diagnostik),10001(BUILTIN\users)

It is "gid=20(games)", not  "gid=20(NIS\games)". gid 20 games comes from OS
local /etc/group. It seems to me to be exactly what I would expected.
Winbind did not do domain name translation of group 20, because it is not
within domain range, thats ok, isn't it?

Michal



>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list