[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

L.P.H. van Belle belle at bazuin.nl
Tue Aug 20 12:29:00 UTC 2019 

Hai, 

> 
> In short. My network design previously work with Debian Stretch
> Servers and clients and some Windows clients (not many).
> 
> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
> option for the clients. So I have to use the "dirty" tweak of
> modifying all my users "primaryGroupID" to the corresponding
> "gidNumber". Every things works well with my NFSv4 shares and Samba
> shares. I did not notice somethings wrong neither in Linux or Windows
> client.
? Uhm, samba-tool does have the option to add uid/gids. 

I can recall our conversation years ago for jessi with nfsv4. 
These days setting up nfsv4 is easy. 
I these days have NFSv4 with sys,krb5,krb5i,krb5p working 
*example, ssh SSO logins and automounted krb5p and protected homedirs, which even root can not enter.
I'll work this out in the howto's im updating/writing atm for Debian Buster. 
This might take some time, because it will be the full setup of how im running things. 
.. I might speed up a bit because i noticed the samba wiki is really improved a lot,
so i migh "borrow" some parts ;-).

It might help, if you can explain exactly how you nfsv4 is setup now. 

> 
> Now my network design will be upgraded to Debian Buster. I was happy
> to see the apparition of the "unix_primary_group" option. I think at
> start that this will help me ovoiding the dirty trick.
> 
I still dont understand what your exactly doing and what was not working.. 
(sorry)

> 
> But on the Buster Samba DC this option does not exist and more, now
> Samba DC refuse to check the "primaryGroupID" value. My dirty trick
> does not works anymore. So il need to convert all my scripts to obtain
> the gidNumber.
> 
> Here what id give on DC :
> # id testteacher6
> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users) groups=5200001(FICHLAN\domain users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> 
> Surprisingly it seems that winbind_nss put the group corresponding to
> the gidNumber just after the "Domain Users" group on the "id" comment.
> But I'm not sure this behavior is reliable. So may the Louis tricks
> can work ...
> 
Hmm, so, i've tested a bit more, because if Rowland says something i pay extra attention ;-). 

I create a new user with ADUC. Note, i use Win7, so i have the Unix tab. ;-) 

- clean windows AD users. 
id testuser
uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users) groups=10000(BAZRTD\domain users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)

net cache flush 

- Assigned a UID + Primary Group, shell.   ( testing Primary group : testgroup ) 
id testuser
uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
? no primary group/GID as i did set. 

net cache flush 

- Going to Tab :  Member of group.
Added group testgroup
Selected it, and clicked on "Set Primary Group" 
id testuser
uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
? no primary group/GID as i did set. 

- going back to unix tab
Now here, i also selected the "primary Group", but now same as above. ( testgroup ) 
uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
and again, no primary group. 

So my conclusion.
View point, from Linux CLI. 
The view point from windows GUI might differ, i did not test that. 


Its always : 
UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i notice with these checks. 

!! DC !! 
On the DC, a primay group is not respected as it should. 
And primariy group is always "domain users"


!! MEMBER !!
On the members, keeping the settings as it was, and working back to no uid/gid

id testuser
uid=10128(testuser) gid=10011(testgroup) groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
Correct

- going back to unix tab, selected "domain users"
id testuser
uid=10128(testuser) gid=10000(domain users) groups=10000(domain users),10011(testgroup),2001(BUILTIN\users)
# unix primary is set to "domain users" and the Windows primary group is set to testgroup. 


Switching UNIX primary group and windows primary group.
# unix primary is set to testgroup and the Windows primary group is set to "domain users"
id testuser
uid=10128(testuser) gid=10011(testgroup) groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
Correct

All set to "domain users"
id testuser
uid=10128(testuser) gid=10000(domain users) groups=10000(domain users),10011(testgroup),2001(BUILTIN\users)
Correct

Remove the Unix attributed
id testuser
id: ‘testuser’: no such user

I hope it can help you.



Greetz, 

Louis

More information about the samba mailing list