[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Mon Aug 19 10:13:00 UTC 2019

Le lun. 19 août 2019 à 11:01, L.P.H. van Belle via samba
<samba at lists.samba.org> a écrit :
>
> Hai,
>
> Fist of all, i must say it not very wise to have you NFS server on the AD-DC.
>
> I do about the same but my NFS server is on a member.
>
> Have you configured /etc/nsswitch.conf ?
> If not do that.
>
> If you run : id username
> I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users)
> So my GID and Primary group id are the same.
>

This is a little bit off-thread but why it is not safe to run an NFSv4
server on a DC ? I know that with a samba file server you have some
restrictions like using only encrypted communication.

But the NFS services are mostly independent. Is this not safe only
because samba cannot give correct uid/gid mapping on DC ? And is this
case, is there any plan to make samba usable in this configuration ?

The fact that samba as DC cannot be used as file server is a strange
limitation no ? In the Windows server you don't have this problem. Is
there some plan to make this possible ?

I don't understand why this is so complicated. Samba use this winbind
"primaryGroupID" gid mapping for the rights on the SYSVOL share ?

>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Prunk Dump via samba
> > Verzonden: maandag 19 augustus 2019 10:46
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] winbind on DC : how use gidNumber instead
> > of primaryGroupID as user's primary group
> >
> > Hi Samba Team !
> >
> > My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id
> > mapping between the server and the clients.
> >
> > On the client side it's very easy with the new smb.conf options :
> >
> > idmap config SAMDOM:unix_nss_info = yes
> > idmap config SAMDOM:unix_primary_group = yes
> >
> > But on the server side winbind use the gidNumber of the group
> > corresponding to the user's primaryGroupID. Not the gidNumber
> > directly.
> >
> > So all my users have their primary group set to "Domain Users" as I
> > have set the "Domain Users" gidNumber as say in the documentation.
> >
> > How can I change this behavior ? On my NFSv4 shares all the files are
> > owned by the "Domain Users" group instead of the correct user primary
> > group.
>
> I dont see any thing in correct here, its just how you use it.
> On my NFS the files are also owned by "domain users", exactly as i want.
>
> If its about rights on files/folders, use the other groups to allow access or deny access
> Use "domain users" to allow users to change files.
>
> Does this help you a bit?

You're right. But sometimes I use some special shares where users from
multiple groups can create files. And I only want that users from the
same group can see the content of the file each other.

I use the gid like on a classic Linux station folder.

>
> >
> > Thanks for help !
> >
> > Baptiste.
> >
>
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Last important thing. I use some script to manage my users from Linux.
As I can't use the "id" command to get the user gidNumber on DC :

What is the fastest command to get the user gidNumber value on a samba DC ?

Thanks again !!!

Regards,

Baptiste.