[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Rowland penny rpenny at samba.org
Mon Aug 19 09:07:19 UTC 2019

On 19/08/2019 09:45, Prunk Dump via samba wrote:
> Hi Samba Team !
> My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id
> mapping between the server and the clients.
> On the client side it's very easy with the new smb.conf options :
> idmap config SAMDOM:unix_nss_info = yes
> idmap config SAMDOM:unix_primary_group = yes
> But on the server side winbind use the gidNumber of the group
> corresponding to the user's primaryGroupID. Not the gidNumber
> directly.
> So all my users have their primary group set to "Domain Users" as I
> have set the "Domain Users" gidNumber as say in the documentation.
> How can I change this behavior ? On my NFSv4 shares all the files are
> owned by the "Domain Users" group instead of the correct user primary
> group.
> Thanks for help !
> Baptiste.
This is one of the reasons why you shouldn't use a DC as a fileserver, 
you cannot do what you require safely.

The only way to do what you require is to replace your users 
primaryGroupID contents with the required groups gidNumber, but this 
will break Windows because Windows expects all users to be a member of 
Domain Users.

I think the best idea is to work around this problem or use a Unix 
domain member as a fileserver ;-)


More information about the samba mailing list