[Samba] Samba 4.9 + winbind and 'domain users' gidNumber=513 problem
Rowland penny
rpenny at samba.org
Mon Nov 11 21:08:09 UTC 2019
On 11/11/2019 20:34, Alexander Kushnirenko wrote:
> Hi, Rowland!
> Thank you for you comments, everything worked out just fine.
>
> > Our plan now is to use 'domain group' = 10513, but we have very
> little idea
> > what problems it can lead to and it will upset a lot of users if
> we do it
> > wrong. So here are some questions:
> >
> > 1. Along with gidNumber=513 there is Windows internal
> primaryGroupID=513
> > and ordinary users have both attributes set to 513. Should we
> worry about
> > that? Our users live in mixed environment and use both Linux
> and Windows
> > resources.
> > 2. We hope that if we change Unix Attribute of 'domain users' to
> 10513,
> > than change all files ownerships from group 513 to group 10513
> in Linux
> > world, then it will solve all our problems, but will it?
>
> Should do, however you do not have to use 10513, the number just
> has to
> be inside the DOMAIN range you set in smb.conf, for instance I
> use '10000'
>
> getent group Domain\ Users
> domain users:x:10000:
>
> getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>
> The steps included:
> 1. Change UNIX attribute of domain user group to 10531 (in our case
> 10000 is occupied)
> 2. For every user change UNIX Primary group (gidNumber) to 10513 (Did
> not find an elegant way for doing that)
> 3. For every file in Unix wolrd if it has GID=513 change it to GID=10513
>
> And that is it.
>
> The PrimaryGroupID of a user points to the RID of Domain Users,
> which is
> 513. Samba uses the PrimaryGroupID to identify the users primary
> group
> and this means the group must have a gidNumber attribute.
>
> That I do not quite understand (PrimaryGroupID -> RID -> domainGroup
> SID -> domainGroup gidNumber) seems like a long path, as all users
> have (shoud have?) gidNumber.
>
The PrimaryGroupID is designed to be used by Windows, it sets the
objects primary group, a users primary group is '513', a computers is
'515'. These numbers come from the groups objectSID, which is composed
of the DOMAIN SID (S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz) and the
unique group RID (513 for Domain Users).
Samba uses the users PrimaryGroupID for all Unix users unless:
A) you are using the winbind 'ad' backend on a Unix domain member
And
B) you are using Samba >= 4.6.0
And
C) You have 'idmap config DOMAIN : unix_primary_group = yes' set in smb.conf
And
D) the users have a gidNumber attribute containing the gidNumber of the
required group.
If all of the above is correct, then the users GID will not be gidNumber
set in Domain Users unless the users gidNumber is for Domain Users and
if it is, then there is no point in doing the above, because Samba would
use the gidNumber for Domain Users without any of the above. To put it
another way, if you want all your Unix users to have Domain users as
their Unix primary group (same as on Windows), then you do not have to
do any of the above.
Rowland
More information about the samba
mailing list