[Samba] idmap backend ad well-known-sids 512 & 513

Rowland Penny rpenny at samba.org
Wed Feb 13 16:57:58 UTC 2019 

On Wed, 13 Feb 2019 17:26:05 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> In addition to Rowland's. 
> 
> And be aware that there is a bug in 
> 
> unix_primary_group = 
> You only see 10000 or Domain Users. 
> If you change the primary groep to something else, it stays
> 10000/Domain users. 
> 
> See: 
> default group always set to "Domain Users" not evaluating
> PrimaryGroupID ldap attribute
> https://bugzilla.samba.org/show_bug.cgi?id=13371 
> 
> 
> And 
> You know that you have to set the UID/GID's yourself? 
> https://wiki.samba.org/index.php/User_and_group_management
> 
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC 
> 
> 
> Greetz, 
> 
> Louis
> 
> 

This isn't in my opinion a bug ;-)

Lets start with a Unix domain member that as 'unix_primary_group = yes'
set:

rowland at devstation:~/mate$ getent passwd usertest
usertest:*:10007:10001:User Test:/dev/null:/bin/bash

Here we can see that user 'usertest' has the group ID '10001', this is
the ID for a Unix group stored in AD.

Now we will go to a DC:

root at dc4:~# getent passwd usertest
SAMDOM\usertest:*:10007:10000::/home/usertest:/bin/bash

The group ID is now '10000' and this is the gidNumber for 'Domain Users'

Finally, a Unix domain member using the 'rid' backend

adminuser at Computer4:~$ getent passwd usertest
usertest:*:11112:10513::/home/usertest:/bin/bash

The group id is now '10513', this is the RID for 'Domain Users' plus
the low range set in smb.conf, this is '10000'

So, one user, three group ID's

So, why do I not think it is a bug ?

If somebody logs into 'devstation' and has a gidNumber, they will get
the Unix primary group.

If somebody connects to a share, they are either connecting from a
Windows machine or a Samba machine that is 'simulating' a Windows
machine. In this case, Windows expects the users Primary group to be
Domain Users.

In my opinion, you either never use the same username from a Windows
machine and Unix machines, or you always use 'Domain Users' as the
users primary group.

Rowland

More information about the samba mailing list