[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
Prunk Dump
prunkdump at gmail.com
Thu Aug 22 07:25:02 UTC 2019
Le mer. 21 août 2019 à 17:04, Rowland penny via samba
<samba at lists.samba.org> a écrit :
>
> On 21/08/2019 15:14, Prunk Dump via samba wrote:
> > Le mer. 21 août 2019 à 14:34, Rowland penny via samba <samba at lists.samba.org>
> > a écrit :
> >
> >> On 21/08/2019 09:04, Prunk Dump via samba wrote:
> >>> Le mar. 20 août 2019 à 14:30, L.P.H. van Belle via samba
> >>> <samba at lists.samba.org> a écrit :
> >>>> Hai,
> >>>>
> >>>>> In short. My network design previously work with Debian Stretch
> >>>>> Servers and clients and some Windows clients (not many).
> >>>>>
> >>>>> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
> >>>>> option for the clients. So I have to use the "dirty" tweak of
> >>>>> modifying all my users "primaryGroupID" to the corresponding
> >>>>> "gidNumber". Every things works well with my NFSv4 shares and Samba
> >>>>> shares. I did not notice somethings wrong neither in Linux or Windows
> >>>>> client.
> >>>> ? Uhm, samba-tool does have the option to add uid/gids.
> >>>>
> >>>> I can recall our conversation years ago for jessi with nfsv4.
> >>>> These days setting up nfsv4 is easy.
> >>>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
> >>>> *example, ssh SSO logins and automounted krb5p and protected homedirs,
> >> which even root can not enter.
> >>>> I'll work this out in the howto's im updating/writing atm for Debian
> >> Buster.
> >>>> This might take some time, because it will be the full setup of how im
> >> running things.
> >>>> .. I might speed up a bit because i noticed the samba wiki is really
> >> improved a lot,
> >>>> so i migh "borrow" some parts ;-).
> >>>>
> >>>> It might help, if you can explain exactly how you nfsv4 is setup now.
> >>>>
> >>>>> Now my network design will be upgraded to Debian Buster. I was happy
> >>>>> to see the apparition of the "unix_primary_group" option. I think at
> >>>>> start that this will help me ovoiding the dirty trick.
> >>>>>
> >>>> I still dont understand what your exactly doing and what was not
> >> working..
> >>>> (sorry)
> >>>>
> >>>>> But on the Buster Samba DC this option does not exist and more, now
> >>>>> Samba DC refuse to check the "primaryGroupID" value. My dirty trick
> >>>>> does not works anymore. So il need to convert all my scripts to obtain
> >>>>> the gidNumber.
> >>>>>
> >>>>> Here what id give on DC :
> >>>>> # id testteacher6
> >>>>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)
> >> groups=5200001(FICHLAN\domain
> >> users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> >>>>> Surprisingly it seems that winbind_nss put the group corresponding to
> >>>>> the gidNumber just after the "Domain Users" group on the "id" comment.
> >>>>> But I'm not sure this behavior is reliable. So may the Louis tricks
> >>>>> can work ...
> >>>>>
> >>>> Hmm, so, i've tested a bit more, because if Rowland says something i
> >> pay extra attention ;-).
> >>>> I create a new user with ADUC. Note, i use Win7, so i have the Unix
> >> tab. ;-)
> >>>> - clean windows AD users.
> >>>> id testuser
> >>>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
> >> groups=10000(BAZRTD\domain
> >> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
> >>>> net cache flush
> >>>>
> >>>> - Assigned a UID + Primary Group, shell. ( testing Primary group :
> >> testgroup )
> >>>> id testuser
> >>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> >> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
> >>>> ? no primary group/GID as i did set.
> >>>>
> >>>> net cache flush
> >>>>
> >>>> - Going to Tab : Member of group.
> >>>> Added group testgroup
> >>>> Selected it, and clicked on "Set Primary Group"
> >>>> id testuser
> >>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> >> groups=10000(NTDOM\domain
> >> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >>>> ? no primary group/GID as i did set.
> >>>>
> >>>> - going back to unix tab
> >>>> Now here, i also selected the "primary Group", but now same as above. (
> >> testgroup )
> >>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> >> groups=10000(NTDOM\domain
> >> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >>>> and again, no primary group.
> >>>>
> >>>> So my conclusion.
> >>>> View point, from Linux CLI.
> >>>> The view point from windows GUI might differ, i did not test that.
> >>>>
> >>>>
> >>>> Its always :
> >>>> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i notice with
> >> these checks.
> >>>> !! DC !!
> >>>> On the DC, a primay group is not respected as it should.
> >>>> And primariy group is always "domain users"
> >>>>
> >>>>
> >>>> !! MEMBER !!
> >>>> On the members, keeping the settings as it was, and working back to no
> >> uid/gid
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10011(testgroup)
> >> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >>>> Correct
> >>>>
> >>>> - going back to unix tab, selected "domain users"
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> >> users),10011(testgroup),2001(BUILTIN\users)
> >>>> # unix primary is set to "domain users" and the Windows primary group
> >> is set to testgroup.
> >>>>
> >>>> Switching UNIX primary group and windows primary group.
> >>>> # unix primary is set to testgroup and the Windows primary group is set
> >> to "domain users"
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10011(testgroup)
> >> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >>>> Correct
> >>>>
> >>>> All set to "domain users"
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> >> users),10011(testgroup),2001(BUILTIN\users)
> >>>> Correct
> >>>>
> >>>> Remove the Unix attributed
> >>>> id testuser
> >>>> id: ‘testuser’: no such user
> >>>>
> >>>> I hope it can help you.
> >>>>
> >>>>
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and read the
> >>>> instructions: https://lists.samba.org/mailman/options/samba
> >>> Thank you very much Louis for your help !!!
> >>>
> >>> You have got exactly the same conclusion than me. On DC it's not
> >>> possible to make winbind return the gid I want. And on members
> >>> everything is coherent. (Note that the group corresponding to gid on
> >>> DC seems to be always the first group displayed after Domain Users).
> >>>
> >>> And these uid/gid are used by the nfsv4 server to manage files. So if
> >>> my nfsv4 server is on a DC :
> >>> -> When on the member my testuser (uid=testuser, gid=teachers) create
> >>> a file on the nfsv4 share
> >>> -> The DC translate the user uid/gid and create a file owner by
> >>> "testuser:domain users"
> >>> -> If I check the file uid/gid from member I see "uid=testuser,
> >> gid=domain user"
> >>> So the "problem" is that, with the nfsv4 server on DC, when my users
> >>> create files with uid=A/gid=B, the file is created with
> >>> uid=A,gid=Domain Users.
> >>>
> >>> For years I found problematic this limitation about serve files on DC.
> >>> How do to design your network Louis to get a member file server ?
> >>> -> You use virtualization ?
> >>> -> You use LXC ?
> >>> -> You use two physical servers ?
> >>>
> >>> How OP do in general here ? Is there some tutorial about LXC setup for
> >>> samba around here ? I have only one physical server....
> >>>
> >>> @Louis :
> >>> It's seems that we are working you and me on network design for
> >>> school/enterprise no ? If you are interested I try to publish my work
> >>> now :
> >>> https://github.com/prunkdump/sclustered
> >>>
> >>> Maybe we can works together or exchange some part of our design. If
> >>> you have a virtual machine emulator you can get my setup running in
> >>> less than 30 minutes (I use puppet for configuration). If you want
> >>> some info contact me by email.
> >>>
> >>> Regards,
> >>>
> >>> Baptiste.
> >>>
> >> Hi Baptiste, whilst eating my dinner, I was browsing scluster again
> >> (really think that's a bad name, but it is your project ;-) ) and I
> >> found this in samba_conf.sh.erb:
> >>
> >> # add gid attribute to Domain Users #
> >> echo "\
> >> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
> >> changetype: modify
> >> add:objectclass
> >> objectclass: posixGroup
> >> -
> >> add: gidnumber
> >> gidnumber: 100
> >> " > /tmp/Domain_Users.ldif
> >>
> >> My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
> >>
> >> Why are you doing this ? You have just stopped the winbind 'ad' backend
> >> working on a Unix domain member unless you set a stupidly low 'idmap
> >> config DOMAIN' range start and if you do set it low so that domain users
> >> are shown, you will either overwrite a lot of the Unix system users and
> >> groups, or your domain users will not be shown.
> >>
> >> You also should not add the posixGroup objectclass, it isn't required.
> >>
> >> Sorry to sound so negative :-(
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> > No problem Louis !
> >
> > That’s the interest of open source projects. Everyone can review the code
> > and search for mistakes.
> >
> > The gid=100 value for domain users is just an experiment. As there is no
> > idmap range on DC this works on DC. And as gid=100 resolve on members this
> > work on members to.
> >
> > But this is a bad idea you’re right. My now chosen value is 5100000 ( still
> > not published as s4makeshareddir does not works anymore due to the gid
> > problem on DC )
> >
> > For the name of the project I will search if I can find better ;)
> >
> > Don’t hesitate to check the puppet « pp » files. You will see that there
> > are self explanatory. Puppet is a very good project. All my network
> > configuration ( server, clients, printers etc ...) are stored in just one
> > file. All the shares configuration and users are stored in AD. So I have
> > just one file and one database to backup to save all my network
> > configuration.
> >
> > Il have recently deployed this design in a high school with 4 DC and 550
> > clients in just two days but with a file describing all the setup prepared
> > before. Everything’s works with PXE and puppet ( unless the windows clients
> > for installing the base system, I avoid windows as much as possible ).
> >
> > It’s almost finished. I have just the solve this GID problem by adapting my
> > shares rights.
>
> OK, I will say this slowly and very loud:
>
> USE NSLCD ON THE DC!
>
> root at dc4:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000::/home/SAMDOM/users/rowland:/bin/bash
>
> root at dc8:~# getent passwd rowland
> rowland:*:10000:10010:Rowland Penny:/home/rowland:/bin/bash
>
> The first is using the primaryGroupID, the second the users gidNumber.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Thank you very much Rowland !
I will give Nslcd a try. But this will make me using a totally new
service. I need to make all the tests needed before deploying it. For
example it will not resolve my computer accounts where I don't assign
uid/gid number. I let samba do it for me with local ID. May be
problematic ( or not ).
Thanks !
Baptiste.
More information about the samba
mailing list