[Samba] Group, idmap, unix_primary_group ...

Marco Gaiarin gaio at sv.lnf.it
Fri Jan 24 11:00:11 UTC 2020 

Mandi! Rowland penny via samba
  In chel di` si favelave...

[Sorry for subject hijacking... ;-)]

> Users do not actually need a gidNumber. Using the 'ad' backend, all users
> will get the gidNumber from Domain Users even if it isn't set in the users
> object in AD.
> 
> If you do set a gidNumber attribute in the users object, whilst it must be
> the GID of a group, they do not all have to have the same GID. All users
> will have the same primaryGroupID (513) and this will be used for the users
> primary group unless you are using Samba >= 4.6.0 and have 'idmap config
> SAMDOM:unix_primary_group = yes' in smb.conf and have given your users a
> gidNumber attribute containing the GID of an existing group.

Sorry rowland, i've read and read this sentences but still something
does not understand.


Caming from 'pre samba 4.6', i've created my users with
'primaryGroupID' and 'gidNumber' that match:

	root at vdcsv2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(&(objectClass=user)(uid=gaio))" | egrep "(primaryGroupID|gidNumber)"
	primaryGroupID: 513
	gidNumber: 10513

but this is a but suboptimal, for examples users now create folders
with group owner 'Domain Users' and so it is a bit hard to enforce ACLs
in some situation...

So, i want to switch to 'unix_primary_group = yes', but i've no clear
at all if 'primaryGroupID' and 'gidNumber' have still to match (eg, i
need to change both), or it is better to leave 'primaryGroupID' to
Domain Users and change only gidNumber.


I hope in a clarification. Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list