[Samba] Group, idmap, unix_primary_group ...

Marco Gaiarin gaio at sv.lnf.it
Fri Jan 24 12:39:06 UTC 2020

Mandi! Rowland penny via samba
  In chel di` si favelave...

> Hmm, The minimum requirements for the winbind 'ad' backend are:
>    all users that you require visible to Unix must have a uidNumber attribute
>    The Domain Users group must have a gidNumber attribute
>    All uidNumber and gidNumber attributes must contain numbers inside the 'DOMAIN' range set in smb.conf

OK, done.

>    If you are using Domain Users as the primary group, then there is no need to give your users a gidNumber attribute containing the GID for Domain Users.

Primary group in 'Windows' or 'POSIX' way? Eg, 'primaryGroupID' or
'gidNumber'? I suppose 'primaryGroupID'...

>    If you are using Samba < 4.6.0 or are using Samba >= 4.60 and 'unix_primary_group = yes' isn't set, then any users gidNumber attributes will be treated as secondary groups

Again, here i suppose 'secondary group' both in Windows and POSIX way,

> > So, i want to switch to 'unix_primary_group = yes', but i've no clear
> > at all if 'primaryGroupID' and 'gidNumber' have still to match (eg, i
> > need to change both), or it is better to leave 'primaryGroupID' to
> > Domain Users and change only gidNumber.
> No, they do not have to match and you shouldn't change the 'primaryGroupID'.
> Just add 'idmap config SAMDOM:unix_primary_group = yes' and set the required
> groups GID in the users gidNumber attribute.

Ok. But curiosity kills me. ;-)

a) what happen if i change primaryGroupID?

b) supposing to have (and samba > 4.6 and unix_primary_group = yes):

	primaryGroupID: Domain Users
	gidNumber: groupA
	other group (via 'memberOf'): groupB, groupC

 user are member of 'Domain Users', groupA, groupB and groupC both for
 Windows and POSIX?


