[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

L.P.H. van Belle belle at bazuin.nl
Tue Aug 20 09:29:03 UTC 2019



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Prunk Dump via samba
> Verzonden: dinsdag 20 augustus 2019 10:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] winbind on DC : how use gidNumber 
> instead of primaryGroupID as user's primary group
> 
> Le lun. 19 août 2019 à 12:37, Rowland penny via samba
> <samba at lists.samba.org> a écrit :
> >
> > On 19/08/2019 11:13, Prunk Dump via samba wrote:
> > > Last important thing. I use some script to manage my users from Linux.
> > > As I can't use the "id" command to get the user gidNumber on DC :

Why not, i see this on my DC's. ( Debian Buster, samba 4.10.6 with AD backends. )

id username ( samba domain user)
uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),3000030(NTDOM\Allow-rdp),3000315(NTDOM\Allow-monitoring),3000009(BUILTIN\users)

# change $2 to $3 and get the output of groups. 
time id username |awk -F"=" '{ print $2 }'|cut -d"(" -f1
10002

real    0m0.051s
user    0m0.002s
sys     0m0.005s

time /usr/bin/id username |/usr/bin/awk -F"=" '{ print $2 }'|/usr/bin/cut -d"(" -f1
10002

real    0m0.050s
user    0m0.007s
sys     0m0.000s
So with or without path does not make much of a difference..  


SAMBA_BIN=$(which samba)
LDBDB="$(${SAMBA_BIN} -b | grep PRIVATE_DIR |sed 's/\ //g' | awk -F":" {'print $2'})/sam.ldb"
DN="$(ldbsearch -H "${LDBDB}" -b "" -s base defaultNamingContext | grep 'defaultNamingContext' | sed 's|defaultNamingContext: ||')"

time ldbsearch -H "${LDBDB}" -b "OU=YourUSERS,${DN}" -s sub '(CN=SEARCHSTRING)' gidNumber | grep gidNumber | sed 's/gidNumber: //'
10000

real    0m0.621s
user    0m0.599s
sys     0m0.023s

So i would go for the first as it is at least x10 faster here. 


Greetz, 

Louis


> > >
> > > What is the fastest command to get the user gidNumber 
> value on a samba DC ?
> > >
> > Sounds like you haven't set up the libnss-winbind links, 
> but when you
> > do, don't be surprised if you get IDs in the '3000000' range
> >
> > Rowland
> 
> Sorry I don't formulate my question very well. Libnss-winbind is well
> configured on my DC. But :
> 
> On some of my scripts I need to get the users "gidNumber" attribute
> value. As on DC winbind always give "Domain Users" as gid I can't use
> the "id" or "wbinfo' command to get the "gidNumber" attribute value.
> So my question is : Is there a faster equivalent of this command :
> 
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> a_base_dn_that_contain_all_my_users '(cn=myusername)' gidNumber | grep
> gidNumber | sed 's/gidNumber: //'
> 
> Is there a samba command to get as fast as possible an user LDAP
> attribute values ?
> 
> Regards,
> 
> Baptiste.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list