[Samba] setting up a new ADS infrastructure

Rowland penny rpenny at samba.org
Thu Jun 13 19:10:01 UTC 2019

On 13/06/2019 19:57, Stefan Froehlich via samba wrote:
> On Thu, Jun 13, 2019 at 07:02:27PM +0100, Rowland penny via samba wrote:
>> On 13/06/2019 18:21, Stefan Froehlich via samba wrote:
>>> File server and Linux clients shall use the AD-backend, so I read
>>> and followed <https://wiki.samba.org/index.php/Idmap_config_ad>.
>>> There it says:
>>> "Whichever setting you use, the group (or groups) set as the users
>>> primary group must have the gidNumber attribute set"
>> I thought that was plain enough, but obviously not ;-)
> Yes and no.
I will try and make it more obvious.
>> All domain users are members of the 'Domain Users' group as their
>> primary group and to make the group known to the Unix OS it must
>> have a gidNumber attribute. Also winbind relies on the group being
>> known to the Unix OS, if it isn't, then (whatever you do), no
>> users will be known to the Unix OS.  There are very few domain
>> users and groups that need to be known to Unix.
> I did understand this (some parts were really obvious, some parts
> only after browsing through the docs). What I did not get was that
> besides the various config files and control programs like
> samba-tool and net you need to dig into the LDAP database to set the
> gid for "domain users" (at least I have basic knowledge about LDAP,
> but I did not need this for the last 20 yrs). There are:
> $ samba-tool user add --gid-number --uid-number
> $ samba-tool group add --gid-number
> ...so I was looking for a corresponding option of "samba-tool domain
> provision" or for something named like "samba-tool group modify".
No there isn't I am afraid.
>> It used to be easy from Windows using the Unix Attributes tab in
>> ADUC, but this has been removed from Windows 10.
>> The easiest way is to script around ldb-tools or ldap-utils.
> Windows is no option anyway, I only have ssh access and do all the
> stuff from remote. But ldbedit did the trick, thanks a lot.
> And - heureka! - now it does:
> | root at fileserver:~# wbinfo -i test
> | test:*:10001:10000::/home/test:/bin/bash
> So for the moment I can continue - let's see if anything else comes
> up.

It already might have ;-)

wbinfo reads directly from AD, but doesn't mean that  the OS knows your 
users & groups, does 'getent passwd test' produce the same output ?


More information about the samba mailing list