[Samba] 10 minutes between primary group change and effect on Fedora 27

Rowland Penny rpenny at samba.org
Tue Mar 27 15:15:04 UTC 2018

On Tue, 27 Mar 2018 08:46:00 -0600
Jeff Sadowski via samba <samba at lists.samba.org> wrote:

> My smb.conf looks like so.
> [global]
>    security = ads
>    realm = MIND.UNM.EDU
>    workgroup = MIND
>    idmap config * : backend = tdb
>    idmap config * : range = 2000-7999
>    idmap config MIND:backend = ad
>    idmap config MIND:schema_mode = rfc2307
>    idmap config MIND:range = 8000-9999999
>    idmap config MIND:unix_nss_info = yes
>    winbind use default domain = yes
>    restrict anonymous = 2
> I have a user jefftest.
> I found that to set the primary group that user needs to be in that
> group.
> If I set the group of jefftest to a new group (both in the UNIX
> attributes tab and in the Member Of tab) using Active Directory Users
> and Computers.
> Then I test the user using ldapsearch against each domain controller
> and they all have the new values according to ldapsearch in gidNumber.
> Then I login with jefftest on my joined fedora 27 machine using
> winbind 4.7.6 as jefftest and run id.
> It still shows the old group.
> So I log out as jefftest and in as root and run

I think you are mixing up group membership and the users primary group,
when you run 'getent group username' what is returned is the username
and the users primarygroup
e.g. getent passwd rowland

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

The first number is the users uidNumber, the second is the gidNumber of
the users primarygroup, in this case Domain Users.

All users, by default, get the gidNumber of Domain Users, if you want
the user to have a different primarygroup, you need to give the user a
gidNumber attribute containing the gidNumber of the required group AND
add this line to smb.conf:

idmap config MIND:unix_primary_group = yes

This will only work from Samba 4.6.0

Just in case you are trying to have user private groups with the same
name as the user, well, you cannot, it isn't allowed.


More information about the samba mailing list