[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
L.P.H. van Belle
belle at bazuin.nl
Tue Aug 20 09:29:03 UTC 2019
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Prunk Dump via samba
> Verzonden: dinsdag 20 augustus 2019 10:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] winbind on DC : how use gidNumber
> instead of primaryGroupID as user's primary group
>
> Le lun. 19 août 2019 à 12:37, Rowland penny via samba
> <samba at lists.samba.org> a écrit :
> >
> > On 19/08/2019 11:13, Prunk Dump via samba wrote:
> > > Last important thing. I use some script to manage my users from Linux.
> > > As I can't use the "id" command to get the user gidNumber on DC :
Why not, i see this on my DC's. ( Debian Buster, samba 4.10.6 with AD backends. )
id username ( samba domain user)
uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),3000030(NTDOM\Allow-rdp),3000315(NTDOM\Allow-monitoring),3000009(BUILTIN\users)
# change $2 to $3 and get the output of groups.
time id username |awk -F"=" '{ print $2 }'|cut -d"(" -f1
10002
real 0m0.051s
user 0m0.002s
sys 0m0.005s
time /usr/bin/id username |/usr/bin/awk -F"=" '{ print $2 }'|/usr/bin/cut -d"(" -f1
10002
real 0m0.050s
user 0m0.007s
sys 0m0.000s
So with or without path does not make much of a difference..
SAMBA_BIN=$(which samba)
LDBDB="$(${SAMBA_BIN} -b | grep PRIVATE_DIR |sed 's/\ //g' | awk -F":" {'print $2'})/sam.ldb"
DN="$(ldbsearch -H "${LDBDB}" -b "" -s base defaultNamingContext | grep 'defaultNamingContext' | sed 's|defaultNamingContext: ||')"
time ldbsearch -H "${LDBDB}" -b "OU=YourUSERS,${DN}" -s sub '(CN=SEARCHSTRING)' gidNumber | grep gidNumber | sed 's/gidNumber: //'
10000
real 0m0.621s
user 0m0.599s
sys 0m0.023s
So i would go for the first as it is at least x10 faster here.
Greetz,
Louis
> > >
> > > What is the fastest command to get the user gidNumber
> value on a samba DC ?
> > >
> > Sounds like you haven't set up the libnss-winbind links,
> but when you
> > do, don't be surprised if you get IDs in the '3000000' range
> >
> > Rowland
>
> Sorry I don't formulate my question very well. Libnss-winbind is well
> configured on my DC. But :
>
> On some of my scripts I need to get the users "gidNumber" attribute
> value. As on DC winbind always give "Domain Users" as gid I can't use
> the "id" or "wbinfo' command to get the "gidNumber" attribute value.
> So my question is : Is there a faster equivalent of this command :
>
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> a_base_dn_that_contain_all_my_users '(cn=myusername)' gidNumber | grep
> gidNumber | sed 's/gidNumber: //'
>
> Is there a samba command to get as fast as possible an user LDAP
> attribute values ?
>
> Regards,
>
> Baptiste.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list