[Samba] Samba 4.9 + winbind and 'domain users' gidNumber=513 problem

Rowland penny rpenny at samba.org
Mon Nov 11 21:08:09 UTC 2019

On 11/11/2019 20:34, Alexander Kushnirenko wrote:
>  Hi, Rowland!
> Thank you for you comments, everything worked out just fine.
>     > Our plan now is to use 'domain group' = 10513, but we have very
>     little idea
>     > what problems it can lead to and it will upset a lot of users if
>     we do it
>     > wrong.  So here are some questions:
>     >
>     > 1. Along with gidNumber=513 there is Windows internal
>     primaryGroupID=513
>     > and ordinary users have both attributes set to 513. Should we
>     worry about
>     > that?  Our users live in mixed environment and use both Linux
>     and Windows
>     > resources.
>     > 2. We hope that if we change Unix Attribute of 'domain users' to
>     10513,
>     > than change all files ownerships from group 513 to group 10513
>     in Linux
>     > world, then it will solve all our problems, but will it?
>     Should do, however you do not have to use 10513, the number just
>     has to
>     be inside the DOMAIN  range you set in smb.conf, for instance I
>     use '10000'
>     getent group Domain\ Users
>     domain users:x:10000:
>     getent passwd rowland
>     rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> The steps included:
> 1. Change UNIX attribute of domain user group to 10531 (in our case 
> 10000 is occupied)
> 2. For every user change UNIX Primary group (gidNumber) to 10513 (Did 
> not find an elegant way for doing that)
> 3. For every file in Unix wolrd if it has GID=513 change it to GID=10513
> And that is it.
>     The PrimaryGroupID of a user points to the RID of Domain Users,
>     which is
>     513. Samba uses the PrimaryGroupID to identify the users primary
>     group
>     and this means the group must have a gidNumber attribute.
> That I do not quite understand (PrimaryGroupID -> RID -> domainGroup 
> SID -> domainGroup gidNumber) seems like a long path, as all users 
> have (shoud have?) gidNumber.
The PrimaryGroupID is designed to be used by Windows, it sets the 
objects primary group, a users primary group is '513', a computers is 
'515'. These numbers come from the groups objectSID, which is composed 
of the DOMAIN SID (S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz) and the 
unique group RID (513 for Domain Users).

Samba uses the users PrimaryGroupID for all Unix users unless:

A) you are using the winbind 'ad' backend on a Unix domain member


B) you are using Samba >= 4.6.0


C) You have 'idmap config DOMAIN : unix_primary_group = yes' set in smb.conf


D) the users have a gidNumber attribute containing the gidNumber of the 
required group.

If all of the above is correct, then the users GID will not be gidNumber 
set in Domain Users unless the users gidNumber is for Domain Users and 
if it is, then there is no point in doing the above, because Samba would 
use the gidNumber for Domain Users without any of the above. To put it 
another way, if you want all your Unix users to have Domain users as 
their Unix primary group (same as on Windows), then you do not have to 
do any of the above.


More information about the samba mailing list