[Samba] Group issues on AD DC, membership does not work on some users
Rowland penny
rpenny at samba.org
Wed Apr 22 11:22:22 UTC 2020
On 22/04/2020 11:59, Oleg Blyahher via samba wrote:
> Sorry for the spam, just have another question here.
>
>> If the 'domain-joined file share server' is a Unix computer, then
>> possibly 'samba-tool group add new-group' isn't sufficient, the group
>> will not have a gidNumber attribute and if the 'idmap config' DOMAIN
>> backend is 'ad', then the group will be ignored.
>
> What is the full/correct way to add a group then?
If you are creating a group that must be visible on Unix, then you must
add the Unix attributes e.g.
samba-tool group add Group3 --nis-domain=samdom --gid-number=12345
Where: 'Group3' is the groupname, 'samdom' is your lowercase workgroup
name and '12345' is the next available gidNumber.
> The domain-joined fileserver is a Unix machine (Debian 9) with Samba
> 4.5.16.
I would upgrade as soon as possible to Buster and then use Louis repo
(the one I pointed to earlier).
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
The '*' domain is for the 'Well Known SIDS' and anything outside the domain.
> idmap config DOMAIN: backend = rfc2307
> idmap config DOMAIN: range = 10000-999999999
> idmap config DOMAIN: ldap_server = ad
> idmap config DOMAIN: unix_nss_info = yes
Based on the above and what you posted earlier, this will be better:
idmap config DOMAIN: backend = ad
idmap config DOMAIN: range = 1000-999999999
idmap config DOMAIN: schema_mode = rfc2307
idmap config DOMAIN: unix_nss_info = yes
>
> This guide in the wiki
> (https://wiki.samba.org/index.php/User_and_Group_management) doesn't
> say much more than *samba tool group add groupname*.
I have updated the wikipage.
Rowland
More information about the samba
mailing list