[Samba] Group, idmap, unix_primary_group ...

Rowland penny rpenny at samba.org
Fri Jan 24 11:33:12 UTC 2020 

On 24/01/2020 11:00, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
> [Sorry for subject hijacking... ;-)]
You should have opened a new thread, but no problem ;-)
>
>> Users do not actually need a gidNumber. Using the 'ad' backend, all users
>> will get the gidNumber from Domain Users even if it isn't set in the users
>> object in AD.
>>
>> If you do set a gidNumber attribute in the users object, whilst it must be
>> the GID of a group, they do not all have to have the same GID. All users
>> will have the same primaryGroupID (513) and this will be used for the users
>> primary group unless you are using Samba >= 4.6.0 and have 'idmap config
>> SAMDOM:unix_primary_group = yes' in smb.conf and have given your users a
>> gidNumber attribute containing the GID of an existing group.
> Sorry rowland, i've read and read this sentences but still something
> does not understand.
Lets see if I can make it clearer.
>
>
> Caming from 'pre samba 4.6', i've created my users with
> 'primaryGroupID' and 'gidNumber' that match:
>
> 	root at vdcsv2:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "DC=ad,DC=fvg,DC=lnf,DC=it" "(&(objectClass=user)(uid=gaio))" | egrep "(primaryGroupID|gidNumber)"
> 	primaryGroupID: 513
> 	gidNumber: 10513

Hmm, The minimum requirements for the winbind 'ad' backend are:

    all users that you require visible to Unix must have a uidNumber 
attribute

    The Domain Users group must have a gidNumber attribute

    All uidNumber and gidNumber attributes must contain numbers inside 
the 'DOMAIN' range set in smb.conf

    If you are using Domain Users as the primary group, then there is no 
need to give your users a gidNumber attribute

    containing the GID for Domain Users.

    If you are using Samba < 4.6.0 or are using Samba >= 4.60 and 
'unix_primary_group = yes' isn't set, then any users

    gidNumber attributes will be treated as secondary groups

>
> but this is a but suboptimal, for examples users now create folders
> with group owner 'Domain Users' and so it is a bit hard to enforce ACLs
> in some situation...
>
> So, i want to switch to 'unix_primary_group = yes', but i've no clear
> at all if 'primaryGroupID' and 'gidNumber' have still to match (eg, i
> need to change both), or it is better to leave 'primaryGroupID' to
> Domain Users and change only gidNumber.
No, they do not have to match and you shouldn't change the 
'primaryGroupID'. Just add 'idmap config SAMDOM:unix_primary_group = 
yes' and set the required groups GID in the users gidNumber attribute.
>
>
> I hope in a clarification. Thanks.
>
I hope that I have clarified things, if not, please ask ;-)

Rowland

More information about the samba mailing list