[Samba] Winbind group mapping
rpenny at samba.org
Wed Sep 4 12:31:52 UTC 2019
On 04/09/2019 12:49, Sören Busse via samba wrote:
> Hey there,
> currently I'm trying to map my users and groups using winbind on a
> samba fileserver member server which is connected to a samba DC. Both
> are running version 4.10.0 from the 19.04 ubuntu repository.
> Here's my samba member servers smb.conf:
> security = ADS
> workgroup = SAMDOM
> realm = SAMDOM.DOMAIN:TLD
> log file = /var/log/samba/%m.log
> log level = 1
> server min protocol = SMB2
> bind interfaces only = yes
> interfaces = lo 10.42.6.2
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config SCHULE : backend = ad
> idmap config SCHULE : range = 100000-999999
> idmap config SCHULE : schema_mode = rfc2307
> idmap config SCHULE : unix_nss_info = no
> idmap config SCHULE : unix_primary_group = yes
> template shell = /bin/bash
> template homedir = /home/%U
> username map = /etc/samba/user.map
> comment = Share
> path = /share/Share
> read only = no
> store dos attributes = no
> create mask = 0660
> force create mode = 0660
> directory mask = 0770
> force directory mode = 0770
> I would like to match the normal Linux user and group behavior as much
> as possible.
You are joining what is to all intents and purposes a Windows AD, so you
really need to do things in a Windows way.
> Normally when creating a user you would create a group with the same
> name and same id as the user,
Only on a Unix machine.
> which will result in an "id"-command output like this:
> uid=1000(soeren) gid=1000(soeren) Gruppen=1000(soeren)
> When I now add a user to my domain and set the uid and gid to the same
> value e.g 100 000 without creating a seperate group with the gid 100
> 000 the "id"-command output would looks like this:
> uid=100000(soeren) gid=100000 Gruppen=100000
> So the ids are mapped correctly, but the gid is missing the name. This
> is reasonable because winbind is looking for a group with the id 100
> 000 but can't find any so the name can't be set.
You are using the winbind 'ad' backend, so have you added a unique
uidNumber attribute to your users and a gidNumber attribute to Domain
If you have, you should get results like these:
getent passwd SAMDOM\\rowland
getent group SAMDOM\\Domain\ Users
There appears to be problems with the 'unix_primary_group = yes'
parameter, it doesn't work everywhere.
> The solution would be to simply create a group with the id 100 000.
> However you can't have the group to use the same sAMAccountname as the
> user, because it's only allowed to exists once. So I have to choose a
> different group name with a well-known prefix like "group_soeren" for
> any user groups (As far as I know the sAMAccountname of the group is
> allowed to be longer than 20 characters, isn't it? This would allow to
> set a prefix altough the username might already be 20 characters long)
Do you really need a personal group for every user ?
Also, for backwards capability, sAMAccountname is limited to 20 characters.
We, here in England, have a saying 'When in Rome, do as the Romans do',
this could be rewritten as 'When in Windows AD, do as Windows does' ;-)
More information about the samba