[Samba] Fwd: Force set group id on samba domain member

Michal Michal67M at seznam.cz
Thu Jul 26 11:21:50 UTC 2018


2018-07-26 12:52 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:

> On Thu, 26 Jul 2018 10:49:17 +0200
> Michal <Michal67M at seznam.cz> wrote:
>
> > 2018-07-26 9:16 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Wed, 25 Jul 2018 23:25:05 +0200
> > > Michal <Michal67M at seznam.cz> wrote:
> > >
> > > > I do not know If I get what you mean..
> > > >
> > > > # su - amistest
> > > > Last login: Tue Jul 24 22:48:18 CEST 2018 on pts/4
> > > > -bash-4.2$ id
> > > > uid=6603(NIS\amistest) gid=20(games)
> > > > groups=20(games),513(NIS\domain
> > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > > pacs_diagnostik),10001(BUILTIN\users)
> > > >
> > > > It is "gid=20(games)", not  "gid=20(NIS\games)". gid 20 games
> > > > comes from OS local /etc/group. It seems to me to be exactly what
> > > > I would expected. Winbind did not do domain name translation of
> > > > group 20, because it is not within domain range, thats ok, isn't
> > > > it?
> > > >
> > >
> > > What I am trying to get at is, the users primary group should come
> > > from AD, yours appears to be coming from /etc/group, this is what I
> > > do not understand.
> > >
> > >
> > I think it works this way:
> > Primary group of users on hp-ux is "users", with gidnumber 20.  Users
> > in LDAP NT4 domain were/are being created with hp-ux unix attributes.
> > This number 20 is users' primary group id in our LDAP with
> > "users-nis" group name (yes, I know, it's a stupid name). This was
> > inserted into AD via classicupgrade. Common users in AD have UNIX
> > primary group attribute id=20,
>
> Are you saying that your AD users primaryGroupID attribute has been
> changed to '20' from '513'
>

Hmm.. I do not think so.

ad1# pdbedit -L -v amistest
Unix username:        amistest
NT username:
Account Flags:        [U          ]
User SID:             S-.....-14206
Primary Group SID:    S....-513
Full Name:            amistest
Home Directory:
HomeDir Drive:        (null)
Logon Script:
Profile Path:
Domain:
Account desc:         Amistest Amistest
Workstations:
Munged dial:
Logon time:           Wed, 25 Jul 2018 07:27:31 CEST
Logoff time:          0
Kickoff time:         Thu, 14 Sep 30828 04:48:05 CEST
Password last set:    Tue, 03 Jul 2018 14:44:32 CEST
Password can change:  Tue, 03 Jul 2018 14:44:32 CEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

So DOMAIN primary group of the user is -513, Domain Users. Domain users
UNIX gid is 513.
But UNIX attribute "Primary group name/id" of the user amistest is
"users-nis", which is 20.

Michal


>
> > what is displayed as "users-nis" in eg
> > RSAT GUI in domain users. The gid number 20 is gotten from AD on
> > Linux DM, but because 20 is out of range for domain, nslookup (or
> > whatever it is) displays group name from local /etc/group, which is
> > "games".
>
> It sounds like it has been.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list