[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Wed Aug 21 14:14:26 UTC 2019

Le mer. 21 août 2019 à 14:34, Rowland penny via samba <samba at lists.samba.org>
a écrit :

> On 21/08/2019 09:04, Prunk Dump via samba wrote:
> > Le mar. 20 août 2019 à 14:30, L.P.H. van Belle via samba
> > <samba at lists.samba.org> a écrit :
> >> Hai,
> >>
> >>> In short. My network design previously work with Debian Stretch
> >>> Servers and clients and some Windows clients (not many).
> >>>
> >>> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
> >>> option for the clients. So I have to use the "dirty" tweak of
> >>> modifying all my users "primaryGroupID" to the corresponding
> >>> "gidNumber". Every things works well with my NFSv4 shares and Samba
> >>> shares. I did not notice somethings wrong neither in Linux or Windows
> >>> client.
> >> ? Uhm, samba-tool does have the option to add uid/gids.
> >>
> >> I can recall our conversation years ago for jessi with nfsv4.
> >> These days setting up nfsv4 is easy.
> >> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
> >> *example, ssh SSO logins and automounted krb5p and protected homedirs,
> which even root can not enter.
> >> I'll work this out in the howto's im updating/writing atm for Debian
> Buster.
> >> This might take some time, because it will be the full setup of how im
> running things.
> >> .. I might speed up a bit because i noticed the samba wiki is really
> improved a lot,
> >> so i migh "borrow" some parts ;-).
> >>
> >> It might help, if you can explain exactly how you nfsv4 is setup now.
> >>
> >>> Now my network design will be upgraded to Debian Buster. I was happy
> >>> to see the apparition of the "unix_primary_group" option. I think at
> >>> start that this will help me ovoiding the dirty trick.
> >>>
> >> I still dont understand what your exactly doing and what was not
> working..
> >> (sorry)
> >>
> >>> But on the Buster Samba DC this option does not exist and more, now
> >>> Samba DC refuse to check the "primaryGroupID" value. My dirty trick
> >>> does not works anymore. So il need to convert all my scripts to obtain
> >>> the gidNumber.
> >>>
> >>> Here what id give on DC :
> >>> # id testteacher6
> >>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)
> groups=5200001(FICHLAN\domain
> users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> >>>
> >>> Surprisingly it seems that winbind_nss put the group corresponding to
> >>> the gidNumber just after the "Domain Users" group on the "id" comment.
> >>> But I'm not sure this behavior is reliable. So may the Louis tricks
> >>> can work ...
> >>>
> >> Hmm, so, i've tested a bit more, because if Rowland says something i
> pay extra attention ;-).
> >>
> >> I create a new user with ADUC. Note, i use Win7, so i have the Unix
> tab. ;-)
> >>
> >> - clean windows AD users.
> >> id testuser
> >> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
> groups=10000(BAZRTD\domain
> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
> >>
> >> net cache flush
> >>
> >> - Assigned a UID + Primary Group, shell.   ( testing Primary group :
> testgroup )
> >> id testuser
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
> >> ? no primary group/GID as i did set.
> >>
> >> net cache flush
> >>
> >> - Going to Tab :  Member of group.
> >> Added group testgroup
> >> Selected it, and clicked on "Set Primary Group"
> >> id testuser
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain
> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >> ? no primary group/GID as i did set.
> >>
> >> - going back to unix tab
> >> Now here, i also selected the "primary Group", but now same as above. (
> testgroup )
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain
> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >> and again, no primary group.
> >>
> >> So my conclusion.
> >> View point, from Linux CLI.
> >> The view point from windows GUI might differ, i did not test that.
> >>
> >>
> >> Its always :
> >> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i notice with
> these checks.
> >>
> >> !! DC !!
> >> On the DC, a primay group is not respected as it should.
> >> And primariy group is always "domain users"
> >>
> >>
> >> !! MEMBER !!
> >> On the members, keeping the settings as it was, and working back to no
> uid/gid
> >>
> >> id testuser
> >> uid=10128(testuser) gid=10011(testgroup)
> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >> Correct
> >>
> >> - going back to unix tab, selected "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> users),10011(testgroup),2001(BUILTIN\users)
> >> # unix primary is set to "domain users" and the Windows primary group
> is set to testgroup.
> >>
> >>
> >> Switching UNIX primary group and windows primary group.
> >> # unix primary is set to testgroup and the Windows primary group is set
> to "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10011(testgroup)
> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >> Correct
> >>
> >> All set to "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> users),10011(testgroup),2001(BUILTIN\users)
> >> Correct
> >>
> >> Remove the Unix attributed
> >> id testuser
> >> id: ‘testuser’: no such user
> >>
> >> I hope it can help you.
> >>
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> > Thank you very much Louis for your help !!!
> >
> > You have got exactly the same conclusion than me. On DC it's not
> > possible to make winbind return the gid I want. And on members
> > everything is coherent. (Note that the group corresponding to gid on
> > DC seems to be always the first group displayed after Domain Users).
> >
> > And these uid/gid are used by the nfsv4 server to manage files. So if
> > my nfsv4 server is on a DC :
> > -> When on the member my testuser (uid=testuser, gid=teachers) create
> > a file on the nfsv4 share
> > -> The DC translate the user uid/gid and create a file owner by
> > "testuser:domain users"
> > -> If I check the file uid/gid from member I see "uid=testuser,
> gid=domain user"
> >
> > So the "problem" is that, with the nfsv4 server on DC, when my users
> > create files with uid=A/gid=B, the file is created with
> > uid=A,gid=Domain Users.
> >
> > For years I found problematic this limitation about serve files on DC.
> > How do to design your network Louis to get a member file server ?
> > -> You use virtualization ?
> > -> You use LXC ?
> > -> You use two physical servers ?
> >
> > How OP do in general here ? Is there some tutorial about LXC setup for
> > samba around here ? I have only one physical server....
> >
> > @Louis :
> > It's seems that we are working you and me on network design for
> > school/enterprise no ? If you are interested I try to publish my work
> > now :
> > https://github.com/prunkdump/sclustered
> >
> > Maybe we can works together or exchange some part of our design. If
> > you have a virtual machine emulator you can get my setup running in
> > less than 30 minutes (I use puppet for configuration). If you want
> > some info contact me by email.
> >
> > Regards,
> >
> > Baptiste.
> >
> Hi Baptiste, whilst eating my dinner, I was browsing scluster again
> (really think that's a bad name, but it is your project ;-) ) and I
> found this in samba_conf.sh.erb:
>
> # add gid attribute to Domain Users #
> echo "\
> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
> changetype: modify
> add:objectclass
> objectclass: posixGroup
> -
> add: gidnumber
> gidnumber: 100
> " > /tmp/Domain_Users.ldif
>
> My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
>
> Why are you doing this ? You have just stopped the winbind 'ad' backend
> working on a Unix domain member unless you set a stupidly low 'idmap
> config DOMAIN' range start and if you do set it low so that domain users
> are shown, you will either overwrite a lot of the Unix system users and
> groups, or your domain users will not be shown.
>
> You also should not add the posixGroup objectclass, it isn't required.
>
> Sorry to sound so negative :-(
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

No problem Louis !

That’s the interest of open source projects. Everyone can review the code
and search for mistakes.

The gid=100 value for domain users is just an experiment. As there is no
idmap range on DC this works on DC. And as gid=100 resolve on members this
work on members to.

But this is a bad idea you’re right. My now chosen value is 5100000 ( still
not published as s4makeshareddir does not works anymore due to the gid
problem on DC )

For the name of the project I will search if I can find better ;)

Don’t hesitate to check the puppet « pp » files. You will see that there
are self explanatory. Puppet is a very good project. All my network
configuration ( server, clients, printers etc ...) are stored in just one
file. All the shares configuration and users are stored in AD. So I have
just one file and one database to backup to save all my network
configuration.

Il have recently deployed this design in a high school with 4 DC and 550
clients in just two days but with a file describing all the setup prepared
before. Everything’s works with PXE and puppet ( unless the windows clients
for installing the base system, I avoid windows as much as possible  ).

It’s almost finished. I have just the solve this GID problem by adapting my
shares rights.

I will works later to move the file server to a virtual machine or a LXC.