[Samba] Winbind group mapping

Rowland penny rpenny at samba.org
Wed Sep 4 12:31:52 UTC 2019 

On 04/09/2019 12:49, Sören Busse via samba wrote:
> Hey there,
>
> currently I'm trying to map my users and groups using winbind on a 
> samba fileserver member server which is connected to a samba DC. Both 
> are running version 4.10.0 from the 19.04 ubuntu repository.
>
> Here's my samba member servers smb.conf:
>
> [global]
> security = ADS
> workgroup = SAMDOM
> realm = SAMDOM.DOMAIN:TLD
> log file = /var/log/samba/%m.log
> log level = 1
> server min protocol = SMB2
> bind interfaces only = yes
> interfaces = lo 10.42.6.2
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config SCHULE : backend = ad
> idmap config SCHULE : range = 100000-999999
> idmap config SCHULE : schema_mode = rfc2307
> idmap config SCHULE : unix_nss_info = no
> idmap config SCHULE : unix_primary_group = yes
> template shell = /bin/bash
> template homedir = /home/%U
> username map = /etc/samba/user.map
>
> [Share]
> comment = Share
> path = /share/Share
> read only = no
> store dos attributes = no
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
>
> I would like to match the normal Linux user and group behavior as much 
> as possible. 

Why ?

You are joining what is to all intents and purposes a Windows AD, so you 
really need to do things in a Windows way.

> Normally when creating a user you would create a group with the same 
> name and same id as the user,
Only on a Unix machine.
> which will result in an "id"-command output like this:
> uid=1000(soeren) gid=1000(soeren) Gruppen=1000(soeren)
>
> When I now add a user to my domain and set the uid and gid to the same 
> value e.g 100 000 without creating a seperate group with the gid 100 
> 000 the "id"-command output would looks like this:
> uid=100000(soeren) gid=100000 Gruppen=100000
> So the ids are mapped correctly, but the gid is missing the name. This 
> is reasonable because winbind is looking for a group with the id 100 
> 000 but can't find any so the name can't be set.

You are using the winbind 'ad' backend, so have you added a unique 
uidNumber attribute to your users and a gidNumber attribute to Domain 
Users ?

If you have, you should get results like these:

getent passwd SAMDOM\\rowland
rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

getent group SAMDOM\\Domain\ Users
domain users:x:10000:

There appears to be problems with the 'unix_primary_group = yes' 
parameter, it doesn't work everywhere.

>
> The solution would be to simply create a group with the id 100 000. 
> However you can't have the group to use the same sAMAccountname as the 
> user, because it's only allowed to exists once. So I have to choose a 
> different group name with a well-known prefix like "group_soeren" for 
> any user groups (As far as I know the sAMAccountname of the group is 
> allowed to be longer than 20 characters, isn't it? This would allow to 
> set a prefix altough the username might already be 20 characters long)

Do you really need a personal group for every user ?

Also, for backwards capability, sAMAccountname is limited to 20 characters.

We, here in England, have a saying 'When in Rome, do as the Romans do', 
this could be rewritten as 'When in Windows AD, do as Windows does' ;-)

Rowland

More information about the samba mailing list