[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Rowland penny rpenny at samba.org
Mon Aug 19 10:36:42 UTC 2019

On 19/08/2019 11:13, Prunk Dump via samba wrote:
> Le lun. 19 août 2019 à 11:01, L.P.H. van Belle via samba
> <samba at lists.samba.org> a écrit :
> This is a little bit off-thread but why it is not safe to run an NFSv4
> server on a DC ? I know that with a samba file server you have some
> restrictions like using only encrypted communication.
> But the NFS services are mostly independent. Is this not safe only
> because samba cannot give correct uid/gid mapping on DC ? And is this
> case, is there any plan to make samba usable in this configuration ?
It isn't that it isn't safe, it is that authentication on a DC works 
differently to a Unix domain member, as you have found.
> The fact that samba as DC cannot be used as file server is a strange
> limitation no ? In the Windows server you don't have this problem. Is
> there some plan to make this possible ?
You can use a DC as a fileserver, you just have to put up with the 
limitations, one of which is that it works more like a Windows machine 
when it comes to authentication.
> I don't understand why this is so complicated. Samba use this winbind
> "primaryGroupID" gid mapping for the rights on the SYSVOL share ?
It isn't complicated, Windows expects every user to be a member of 
Domain Users, so a Samba AD DC complies with this.
> You're right. But sometimes I use some special shares where users from
> multiple groups can create files. And I only want that users from the
> same group can see the content of the file each other.
> I use the gid like on a classic Linux station folder.
If you are going to use a DC as a fileserver, then you cannot do this, 
use Windows ACLs instead.
> Last important thing. I use some script to manage my users from Linux.
> As I can't use the "id" command to get the user gidNumber on DC :
> What is the fastest command to get the user gidNumber value on a samba DC ?
Sounds like you haven't set up the libnss-winbind links, but when you 
do, don't be surprised if you get IDs in the '3000000' range


More information about the samba mailing list