[Samba] Group, idmap, unix_primary_group ...

Rowland penny rpenny at samba.org
Fri Jan 24 13:16:09 UTC 2020

On 24/01/2020 12:39, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> Hmm, The minimum requirements for the winbind 'ad' backend are:
>>     all users that you require visible to Unix must have a uidNumber attribute
>>     The Domain Users group must have a gidNumber attribute
>>     All uidNumber and gidNumber attributes must contain numbers inside the 'DOMAIN' range set in smb.conf
> OK, done.
>>     If you are using Domain Users as the primary group, then there is no need to give your users a gidNumber attribute containing the GID for Domain Users.
> Primary group in 'Windows' or 'POSIX' way? Eg, 'primaryGroupID' or
> 'gidNumber'? I suppose 'primaryGroupID'...

OK, good point, try it this way:

If you are using Domain Users as the Unix primary group, then there is 
no need to give your users a gidNumber attribute containing the GID for 
Domain Users.

>>     If you are using Samba < 4.6.0 or are using Samba >= 4.60 and 'unix_primary_group = yes' isn't set, then any users gidNumber attributes will be treated as secondary groups
> Again, here i suppose 'secondary group' both in Windows and POSIX way,
> right?

Well, yes and no ;-)

All AD groups are Windows groups and all Windows users have Domain users 
as their primary group, any other groups are just secondary to this. 
Unix basically follows this, except that users do not really have a 
primary group, users have a user private group. Samba tries to make Unix 
work similarly to Windows, users do have a Unix primary group, which 
before 4.6.0 was Domain Users. From 4.6.0, you have a choice, you can 
continue to use Domain Users as the users Unix primary group, or you can 
use another group if smb.conf is configured correctly. What you cannot 
do is have user private groups, you cannot have a user 'fred' and a 
group 'fred'

>>> So, i want to switch to 'unix_primary_group = yes', but i've no clear
>>> at all if 'primaryGroupID' and 'gidNumber' have still to match (eg, i
>>> need to change both), or it is better to leave 'primaryGroupID' to
>>> Domain Users and change only gidNumber.
>> No, they do not have to match and you shouldn't change the 'primaryGroupID'.
>> Just add 'idmap config SAMDOM:unix_primary_group = yes' and set the required
>> groups GID in the users gidNumber attribute.
> Ok. But curiosity kills me. ;-)
> a) what happen if i change primaryGroupID?
Windows expects all users to have Domain Users as their primary group, 
so if you change '513' to another group RID, you will break this, this 
could cause problems on Windows clients.
> b) supposing to have (and samba > 4.6 and unix_primary_group = yes):
> 	primaryGroupID: Domain Users
> 	gidNumber: groupA
> 	other group (via 'memberOf'): groupB, groupC
>   user are member of 'Domain Users', groupA, groupB and groupC both for
>   Windows and POSIX?

Provided that the user is a member of group 'groupa' (the user has a 
memberOf attribute containing the groups DN), then yes, if it isn't a 
member, then no.


More information about the samba mailing list