[Samba] 10 minutes between primary group change and effect on Fedora 27

Jeff Sadowski jeff.sadowski at gmail.com
Tue Mar 27 15:36:49 UTC 2018

On Tue, Mar 27, 2018 at 9:15 AM, Rowland Penny <rpenny at samba.org> wrote:
> On Tue, 27 Mar 2018 08:46:00 -0600
> Jeff Sadowski via samba <samba at lists.samba.org> wrote:
>> My smb.conf looks like so.
>> [global]
>>    security = ads
>>    realm = MIND.UNM.EDU
>>    workgroup = MIND
>>    idmap config * : backend = tdb
>>    idmap config * : range = 2000-7999
>>    idmap config MIND:backend = ad
>>    idmap config MIND:schema_mode = rfc2307
>>    idmap config MIND:range = 8000-9999999
>>    idmap config MIND:unix_nss_info = yes
>>    winbind use default domain = yes
>>    restrict anonymous = 2
>> I have a user jefftest.
>> I found that to set the primary group that user needs to be in that
>> group.
>> If I set the group of jefftest to a new group (both in the UNIX
>> attributes tab and in the Member Of tab) using Active Directory Users
>> and Computers.
>> Then I test the user using ldapsearch against each domain controller
>> and they all have the new values according to ldapsearch in gidNumber.
>> Then I login with jefftest on my joined fedora 27 machine using
>> winbind 4.7.6 as jefftest and run id.
>> It still shows the old group.
>> So I log out as jefftest and in as root and run
> I think you are mixing up group membership and the users primary group,
> when you run 'getent group username' what is returned is the username
> and the users primarygroup
> e.g. getent passwd rowland
> Returns:
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> The first number is the users uidNumber, the second is the gidNumber of
> the users primarygroup, in this case Domain Users.
> All users, by default, get the gidNumber of Domain Users, if you want
> the user to have a different primarygroup, you need to give the user a
> gidNumber attribute containing the gidNumber of the required group AND
> add this line to smb.conf:
> idmap config MIND:unix_primary_group = yes
OK I added this line
Is that not the default behavior? It seemed to work after ten minutes
like I wanted. I just wanted to speed up by flushing the cache or
> This will only work from Samba 4.6.0
Did you mean 4.6.0 and greater?
> Just in case you are trying to have user private groups with the same
> name as the user, well, you cannot, it isn't allowed.
I'm switching between jeff_write_group and jeffs_general_group so this
isn't the issue. AD wouldn't let me do that anyways.
> Rowland

I added the debug line as L.P.H. van Belle had suggested too.

> getent passwd jefftest
jefftest:*:11507:31026:Jeff Test:/na/homes/jefftest:/bin/bash

when I just switched the gidNumber to

and verified using ldapsearch against all my dc's and I tried a "net
cache flush"

the log files may have info in them but I'm not sure what to look for
or how to post them. I think attachments are removed by the list.

And after 10 minutes getent now shows the same.
Seems that adding the

idmap config MIND:unix_primary_group = yes

nothing has noticeably changed.

More information about the samba mailing list