[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Rowland penny rpenny at samba.org
Wed Aug 21 08:32:46 UTC 2019 

On 21/08/2019 09:04, Prunk Dump via samba wrote:
> Le mar. 20 août 2019 à 14:30, L.P.H. van Belle via samba
> <samba at lists.samba.org> a écrit :
>> Hai,
>>
>>> In short. My network design previously work with Debian Stretch
>>> Servers and clients and some Windows clients (not many).
>>>
>>> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
>>> option for the clients. So I have to use the "dirty" tweak of
>>> modifying all my users "primaryGroupID" to the corresponding
>>> "gidNumber". Every things works well with my NFSv4 shares and Samba
>>> shares. I did not notice somethings wrong neither in Linux or Windows
>>> client.
>> ? Uhm, samba-tool does have the option to add uid/gids.
>>
>> I can recall our conversation years ago for jessi with nfsv4.
>> These days setting up nfsv4 is easy.
>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
>> *example, ssh SSO logins and automounted krb5p and protected homedirs, which even root can not enter.
>> I'll work this out in the howto's im updating/writing atm for Debian Buster.
>> This might take some time, because it will be the full setup of how im running things.
>> .. I might speed up a bit because i noticed the samba wiki is really improved a lot,
>> so i migh "borrow" some parts ;-).
>>
>> It might help, if you can explain exactly how you nfsv4 is setup now.
>>
>>> Now my network design will be upgraded to Debian Buster. I was happy
>>> to see the apparition of the "unix_primary_group" option. I think at
>>> start that this will help me ovoiding the dirty trick.
>>>
>> I still dont understand what your exactly doing and what was not working..
>> (sorry)
>>
>>> But on the Buster Samba DC this option does not exist and more, now
>>> Samba DC refuse to check the "primaryGroupID" value. My dirty trick
>>> does not works anymore. So il need to convert all my scripts to obtain
>>> the gidNumber.
>>>
>>> Here what id give on DC :
>>> # id testteacher6
>>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users) groups=5200001(FICHLAN\domain users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
>>>
>>> Surprisingly it seems that winbind_nss put the group corresponding to
>>> the gidNumber just after the "Domain Users" group on the "id" comment.
>>> But I'm not sure this behavior is reliable. So may the Louis tricks
>>> can work ...
>>>
>> Hmm, so, i've tested a bit more, because if Rowland says something i pay extra attention ;-).
>>
>> I create a new user with ADUC. Note, i use Win7, so i have the Unix tab. ;-)
>>
>> - clean windows AD users.
>> id testuser
>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users) groups=10000(BAZRTD\domain users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
>>
>> net cache flush
>>
>> - Assigned a UID + Primary Group, shell.   ( testing Primary group : testgroup )
>> id testuser
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
>> ? no primary group/GID as i did set.
>>
>> net cache flush
>>
>> - Going to Tab :  Member of group.
>> Added group testgroup
>> Selected it, and clicked on "Set Primary Group"
>> id testuser
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>> ? no primary group/GID as i did set.
>>
>> - going back to unix tab
>> Now here, i also selected the "primary Group", but now same as above. ( testgroup )
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>> and again, no primary group.
>>
>> So my conclusion.
>> View point, from Linux CLI.
>> The view point from windows GUI might differ, i did not test that.
>>
>>
>> Its always :
>> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i notice with these checks.
>>
>> !! DC !!
>> On the DC, a primay group is not respected as it should.
>> And primariy group is always "domain users"
>>
>>
>> !! MEMBER !!
>> On the members, keeping the settings as it was, and working back to no uid/gid
>>
>> id testuser
>> uid=10128(testuser) gid=10011(testgroup) groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>> Correct
>>
>> - going back to unix tab, selected "domain users"
>> id testuser
>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain users),10011(testgroup),2001(BUILTIN\users)
>> # unix primary is set to "domain users" and the Windows primary group is set to testgroup.
>>
>>
>> Switching UNIX primary group and windows primary group.
>> # unix primary is set to testgroup and the Windows primary group is set to "domain users"
>> id testuser
>> uid=10128(testuser) gid=10011(testgroup) groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>> Correct
>>
>> All set to "domain users"
>> id testuser
>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain users),10011(testgroup),2001(BUILTIN\users)
>> Correct
>>
>> Remove the Unix attributed
>> id testuser
>> id: ‘testuser’: no such user
>>
>> I hope it can help you.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> Thank you very much Louis for your help !!!
>
> You have got exactly the same conclusion than me. On DC it's not
> possible to make winbind return the gid I want. And on members
> everything is coherent. (Note that the group corresponding to gid on
> DC seems to be always the first group displayed after Domain Users).
>
> And these uid/gid are used by the nfsv4 server to manage files. So if
> my nfsv4 server is on a DC :
> -> When on the member my testuser (uid=testuser, gid=teachers) create
> a file on the nfsv4 share
> -> The DC translate the user uid/gid and create a file owner by
> "testuser:domain users"
> -> If I check the file uid/gid from member I see "uid=testuser, gid=domain user"
>
> So the "problem" is that, with the nfsv4 server on DC, when my users
> create files with uid=A/gid=B, the file is created with
> uid=A,gid=Domain Users.
>
> For years I found problematic this limitation about serve files on DC.
> How do to design your network Louis to get a member file server ?
> -> You use virtualization ?
> -> You use LXC ?
> -> You use two physical servers ?
>
> How OP do in general here ? Is there some tutorial about LXC setup for
> samba around here ? I have only one physical server....
>
> @Louis :
> It's seems that we are working you and me on network design for
> school/enterprise no ? If you are interested I try to publish my work
> now :
> https://github.com/prunkdump/sclustered
>
> Maybe we can works together or exchange some part of our design. If
> you have a virtual machine emulator you can get my setup running in
> less than 30 minutes (I use puppet for configuration). If you want
> some info contact me by email.
>
> Regards,
>
> Baptiste.
>
Hi Baptiste, I have had a look at your github page and it looks 
promising ;-)

I had a more in depth look at 's4useradd' and where you have:

# create the user #
samba-tool user create $userName --userou=$userClassDN --random-password \
.....................................
...............................
.................

# set passwd #
samba-tool user setpassword $userName --newpassword=$userPasswd

This would work just as well:

# create the user #
samba-tool user create $userName $userPasswd --userou=$userClassDN \
.....................................
...............................
.................

Just one call to samba-tool ;-)

Also, do really want your all your users passwords to never expire ?

Rowland

More information about the samba mailing list