[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Rowland penny rpenny at samba.org
Wed Aug 21 15:04:12 UTC 2019 

On 21/08/2019 15:14, Prunk Dump via samba wrote:
> Le mer. 21 août 2019 à 14:34, Rowland penny via samba <samba at lists.samba.org>
> a écrit :
>
>> On 21/08/2019 09:04, Prunk Dump via samba wrote:
>>> Le mar. 20 août 2019 à 14:30, L.P.H. van Belle via samba
>>> <samba at lists.samba.org> a écrit :
>>>> Hai,
>>>>
>>>>> In short. My network design previously work with Debian Stretch
>>>>> Servers and clients and some Windows clients (not many).
>>>>>
>>>>> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
>>>>> option for the clients. So I have to use the "dirty" tweak of
>>>>> modifying all my users "primaryGroupID" to the corresponding
>>>>> "gidNumber". Every things works well with my NFSv4 shares and Samba
>>>>> shares. I did not notice somethings wrong neither in Linux or Windows
>>>>> client.
>>>> ? Uhm, samba-tool does have the option to add uid/gids.
>>>>
>>>> I can recall our conversation years ago for jessi with nfsv4.
>>>> These days setting up nfsv4 is easy.
>>>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
>>>> *example, ssh SSO logins and automounted krb5p and protected homedirs,
>> which even root can not enter.
>>>> I'll work this out in the howto's im updating/writing atm for Debian
>> Buster.
>>>> This might take some time, because it will be the full setup of how im
>> running things.
>>>> .. I might speed up a bit because i noticed the samba wiki is really
>> improved a lot,
>>>> so i migh "borrow" some parts ;-).
>>>>
>>>> It might help, if you can explain exactly how you nfsv4 is setup now.
>>>>
>>>>> Now my network design will be upgraded to Debian Buster. I was happy
>>>>> to see the apparition of the "unix_primary_group" option. I think at
>>>>> start that this will help me ovoiding the dirty trick.
>>>>>
>>>> I still dont understand what your exactly doing and what was not
>> working..
>>>> (sorry)
>>>>
>>>>> But on the Buster Samba DC this option does not exist and more, now
>>>>> Samba DC refuse to check the "primaryGroupID" value. My dirty trick
>>>>> does not works anymore. So il need to convert all my scripts to obtain
>>>>> the gidNumber.
>>>>>
>>>>> Here what id give on DC :
>>>>> # id testteacher6
>>>>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)
>> groups=5200001(FICHLAN\domain
>> users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
>>>>> Surprisingly it seems that winbind_nss put the group corresponding to
>>>>> the gidNumber just after the "Domain Users" group on the "id" comment.
>>>>> But I'm not sure this behavior is reliable. So may the Louis tricks
>>>>> can work ...
>>>>>
>>>> Hmm, so, i've tested a bit more, because if Rowland says something i
>> pay extra attention ;-).
>>>> I create a new user with ADUC. Note, i use Win7, so i have the Unix
>> tab. ;-)
>>>> - clean windows AD users.
>>>> id testuser
>>>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
>> groups=10000(BAZRTD\domain
>> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
>>>> net cache flush
>>>>
>>>> - Assigned a UID + Primary Group, shell.   ( testing Primary group :
>> testgroup )
>>>> id testuser
>>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
>> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
>>>> ? no primary group/GID as i did set.
>>>>
>>>> net cache flush
>>>>
>>>> - Going to Tab :  Member of group.
>>>> Added group testgroup
>>>> Selected it, and clicked on "Set Primary Group"
>>>> id testuser
>>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
>> groups=10000(NTDOM\domain
>> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>>>> ? no primary group/GID as i did set.
>>>>
>>>> - going back to unix tab
>>>> Now here, i also selected the "primary Group", but now same as above. (
>> testgroup )
>>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
>> groups=10000(NTDOM\domain
>> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>>>> and again, no primary group.
>>>>
>>>> So my conclusion.
>>>> View point, from Linux CLI.
>>>> The view point from windows GUI might differ, i did not test that.
>>>>
>>>>
>>>> Its always :
>>>> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i notice with
>> these checks.
>>>> !! DC !!
>>>> On the DC, a primay group is not respected as it should.
>>>> And primariy group is always "domain users"
>>>>
>>>>
>>>> !! MEMBER !!
>>>> On the members, keeping the settings as it was, and working back to no
>> uid/gid
>>>> id testuser
>>>> uid=10128(testuser) gid=10011(testgroup)
>> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>>>> Correct
>>>>
>>>> - going back to unix tab, selected "domain users"
>>>> id testuser
>>>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
>> users),10011(testgroup),2001(BUILTIN\users)
>>>> # unix primary is set to "domain users" and the Windows primary group
>> is set to testgroup.
>>>>
>>>> Switching UNIX primary group and windows primary group.
>>>> # unix primary is set to testgroup and the Windows primary group is set
>> to "domain users"
>>>> id testuser
>>>> uid=10128(testuser) gid=10011(testgroup)
>> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>>>> Correct
>>>>
>>>> All set to "domain users"
>>>> id testuser
>>>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
>> users),10011(testgroup),2001(BUILTIN\users)
>>>> Correct
>>>>
>>>> Remove the Unix attributed
>>>> id testuser
>>>> id: ‘testuser’: no such user
>>>>
>>>> I hope it can help you.
>>>>
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> Thank you very much Louis for your help !!!
>>>
>>> You have got exactly the same conclusion than me. On DC it's not
>>> possible to make winbind return the gid I want. And on members
>>> everything is coherent. (Note that the group corresponding to gid on
>>> DC seems to be always the first group displayed after Domain Users).
>>>
>>> And these uid/gid are used by the nfsv4 server to manage files. So if
>>> my nfsv4 server is on a DC :
>>> -> When on the member my testuser (uid=testuser, gid=teachers) create
>>> a file on the nfsv4 share
>>> -> The DC translate the user uid/gid and create a file owner by
>>> "testuser:domain users"
>>> -> If I check the file uid/gid from member I see "uid=testuser,
>> gid=domain user"
>>> So the "problem" is that, with the nfsv4 server on DC, when my users
>>> create files with uid=A/gid=B, the file is created with
>>> uid=A,gid=Domain Users.
>>>
>>> For years I found problematic this limitation about serve files on DC.
>>> How do to design your network Louis to get a member file server ?
>>> -> You use virtualization ?
>>> -> You use LXC ?
>>> -> You use two physical servers ?
>>>
>>> How OP do in general here ? Is there some tutorial about LXC setup for
>>> samba around here ? I have only one physical server....
>>>
>>> @Louis :
>>> It's seems that we are working you and me on network design for
>>> school/enterprise no ? If you are interested I try to publish my work
>>> now :
>>> https://github.com/prunkdump/sclustered
>>>
>>> Maybe we can works together or exchange some part of our design. If
>>> you have a virtual machine emulator you can get my setup running in
>>> less than 30 minutes (I use puppet for configuration). If you want
>>> some info contact me by email.
>>>
>>> Regards,
>>>
>>> Baptiste.
>>>
>> Hi Baptiste, whilst eating my dinner, I was browsing scluster again
>> (really think that's a bad name, but it is your project ;-) ) and I
>> found this in samba_conf.sh.erb:
>>
>> # add gid attribute to Domain Users #
>> echo "\
>> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
>> changetype: modify
>> add:objectclass
>> objectclass: posixGroup
>> -
>> add: gidnumber
>> gidnumber: 100
>> " > /tmp/Domain_Users.ldif
>>
>> My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
>>
>> Why are you doing this ? You have just stopped the winbind 'ad' backend
>> working on a Unix domain member unless you set a stupidly low 'idmap
>> config DOMAIN' range start and if you do set it low so that domain users
>> are shown, you will either overwrite a lot of the Unix system users and
>> groups, or your domain users will not be shown.
>>
>> You also should not add the posixGroup objectclass, it isn't required.
>>
>> Sorry to sound so negative :-(
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> No problem Louis !
>
> That’s the interest of open source projects. Everyone can review the code
> and search for mistakes.
>
> The gid=100 value for domain users is just an experiment. As there is no
> idmap range on DC this works on DC. And as gid=100 resolve on members this
> work on members to.
>
> But this is a bad idea you’re right. My now chosen value is 5100000 ( still
> not published as s4makeshareddir does not works anymore due to the gid
> problem on DC )
>
> For the name of the project I will search if I can find better ;)
>
> Don’t hesitate to check the puppet « pp » files. You will see that there
> are self explanatory. Puppet is a very good project. All my network
> configuration ( server, clients, printers etc ...) are stored in just one
> file. All the shares configuration and users are stored in AD. So I have
> just one file and one database to backup to save all my network
> configuration.
>
> Il have recently deployed this design in a high school with 4 DC and 550
> clients in just two days but with a file describing all the setup prepared
> before. Everything’s works with PXE and puppet ( unless the windows clients
> for installing the base system, I avoid windows as much as possible  ).
>
> It’s almost finished. I have just the solve this GID problem by adapting my
> shares rights.

OK, I will say this slowly and very loud:

USE    NSLCD    ON      THE      DC!

root at dc4:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000::/home/SAMDOM/users/rowland:/bin/bash

root at dc8:~# getent passwd rowland
rowland:*:10000:10010:Rowland Penny:/home/rowland:/bin/bash

The first is using the primaryGroupID, the second the users gidNumber.

Rowland

More information about the samba mailing list