[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
prunkdump at gmail.com
Mon Aug 19 10:13:00 UTC 2019
Le lun. 19 août 2019 à 11:01, L.P.H. van Belle via samba
<samba at lists.samba.org> a écrit :
> Fist of all, i must say it not very wise to have you NFS server on the AD-DC.
> I do about the same but my NFS server is on a member.
> Have you configured /etc/nsswitch.conf ?
> If not do that.
> If you run : id username
> I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users)
> So my GID and Primary group id are the same.
This is a little bit off-thread but why it is not safe to run an NFSv4
server on a DC ? I know that with a samba file server you have some
restrictions like using only encrypted communication.
But the NFS services are mostly independent. Is this not safe only
because samba cannot give correct uid/gid mapping on DC ? And is this
case, is there any plan to make samba usable in this configuration ?
The fact that samba as DC cannot be used as file server is a strange
limitation no ? In the Windows server you don't have this problem. Is
there some plan to make this possible ?
I don't understand why this is so complicated. Samba use this winbind
"primaryGroupID" gid mapping for the rights on the SYSVOL share ?
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Prunk Dump via samba
> > Verzonden: maandag 19 augustus 2019 10:46
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] winbind on DC : how use gidNumber instead
> > of primaryGroupID as user's primary group
> > Hi Samba Team !
> > My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id
> > mapping between the server and the clients.
> > On the client side it's very easy with the new smb.conf options :
> > idmap config SAMDOM:unix_nss_info = yes
> > idmap config SAMDOM:unix_primary_group = yes
> > But on the server side winbind use the gidNumber of the group
> > corresponding to the user's primaryGroupID. Not the gidNumber
> > directly.
> > So all my users have their primary group set to "Domain Users" as I
> > have set the "Domain Users" gidNumber as say in the documentation.
> > How can I change this behavior ? On my NFSv4 shares all the files are
> > owned by the "Domain Users" group instead of the correct user primary
> > group.
> I dont see any thing in correct here, its just how you use it.
> On my NFS the files are also owned by "domain users", exactly as i want.
> If its about rights on files/folders, use the other groups to allow access or deny access
> Use "domain users" to allow users to change files.
> Does this help you a bit?
You're right. But sometimes I use some special shares where users from
multiple groups can create files. And I only want that users from the
same group can see the content of the file each other.
I use the gid like on a classic Linux station folder.
> > Thanks for help !
> > Baptiste.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Last important thing. I use some script to manage my users from Linux.
As I can't use the "id" command to get the user gidNumber on DC :
What is the fastest command to get the user gidNumber value on a samba DC ?
Thanks again !!!
More information about the samba