[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

L.P.H. van Belle belle at bazuin.nl
Mon Aug 19 09:00:52 UTC 2019


Fist of all, i must say it not very wise to have you NFS server on the AD-DC. 

I do about the same but my NFS server is on a member. 

Have you configured /etc/nsswitch.conf ? 
If not do that. 

If you run : id username 
I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users)
So my GID and Primary group id are the same. 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Prunk Dump via samba
> Verzonden: maandag 19 augustus 2019 10:46
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] winbind on DC : how use gidNumber instead 
> of primaryGroupID as user's primary group
> Hi Samba Team !
> My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id
> mapping between the server and the clients.
> On the client side it's very easy with the new smb.conf options :
> idmap config SAMDOM:unix_nss_info = yes
> idmap config SAMDOM:unix_primary_group = yes
> But on the server side winbind use the gidNumber of the group
> corresponding to the user's primaryGroupID. Not the gidNumber
> directly.
> So all my users have their primary group set to "Domain Users" as I
> have set the "Domain Users" gidNumber as say in the documentation.
> How can I change this behavior ? On my NFSv4 shares all the files are
> owned by the "Domain Users" group instead of the correct user primary
> group.

I dont see any thing in correct here, its just how you use it. 
On my NFS the files are also owned by "domain users", exactly as i want. 

If its about rights on files/folders, use the other groups to allow access or deny access
Use "domain users" to allow users to change files. 

Does this help you a bit? 

> Thanks for help !
> Baptiste.



More information about the samba mailing list