[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Prunk Dump prunkdump at gmail.com
Tue Aug 20 11:18:37 UTC 2019

Le mar. 20 août 2019 à 12:30, Rowland penny via samba
<samba at lists.samba.org> a écrit :
> On 20/08/2019 11:16, L.P.H. van Belle via samba wrote
> >> The problem with that is, 'id' gets its info from the same place that
> >> 'getent' does, so the OP will still get the wrong group ;-)
> >>
> >> Rowland
> > Maybe i did not understand the question then.
> > In: id username |awk -F"=" '{ print $2 }'|cut -d"(" -f1
> > $2 = GID
> > $3 = primary group.
> The OP wants something like 'idmap config SAMDOM : unix_primary_group =
> yes' but on a DC.
> As the 'idmap config' lines do not work on a DC, I think he has three
> options:
> Just make do with 'domain Users'.
> Set up a Unix domain member and use that instead.
> Use nslcd.
> Before anyone says 'what about sssd ?' , when the people who produce it
> say 'do not use sssd with winbind', then you shouldn't use it on a Samba
> AD DC.
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

In short. My network design previously work with Debian Stretch
Servers and clients and some Windows clients (not many).

Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
option for the clients. So I have to use the "dirty" tweak of
modifying all my users "primaryGroupID" to the corresponding
"gidNumber". Every things works well with my NFSv4 shares and Samba
shares. I did not notice somethings wrong neither in Linux or Windows

Now my network design will be upgraded to Debian Buster. I was happy
to see the apparition of the "unix_primary_group" option. I think at
start that this will help me ovoiding the dirty trick.

But on the Buster Samba DC this option does not exist and more, now
Samba DC refuse to check the "primaryGroupID" value. My dirty trick
does not works anymore. So il need to convert all my scripts to obtain
the gidNumber.

Here what id give on DC :
# id testteacher6
uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)

Surprisingly it seems that winbind_nss put the group corresponding to
the gidNumber just after the "Domain Users" group on the "id" comment.
But I'm not sure this behavior is reliable. So may the Louis tricks
can work ...

More information about the samba mailing list