[Samba] Group, idmap, unix_primary_group ...

Marco Gaiarin gaio at sv.lnf.it
Fri Jan 24 16:49:03 UTC 2020

Mandi! Rowland penny via samba
  In chel di` si favelave...

> OK, good point, try it this way:

Ahem, no Rowland, sorry, but you make me only more confusion. But it is
surely my fault.

Restart from ground.

1) Seems to me that both Windows/AD and POSIX have the concept of 'primary
group'; in a RFC2307 schema:
 AD Primary Group is: primaryGroupID
 POSIX Primary Group is: gidNumber

The concepts are not exactly the same, so some 'mappings' have to be
done. Also, for some internal Windows/AD, it is hardly advised to use
for AD Primary Group a group different from 'Domain Users'.

For samba < 4.6, there's no way to have a POSIX primary group different
from AD Primary group (and so, 'Domain Users'): simply 'gidNumber' get
ignored and forced to be 'Domain Users'.

2) surely both Windows/AD and POSIX have the concept of 'groups'; in
the same RFC2307 schema, they are expressed with:
 in user object: memberOf
 in group object: member

NOTE that the group listed as 'primaryGroupID' IS NOT listed as
'memberOf' (i suppose this is a constraint of Windows/AD); this is
different from POSIX where you can list the same group as primary group
and as 'additional group'.

Samba here does only the 'unpacking' of nested group membership (a
concept not present in POSIX).

Only to make a note, i'm very curious to understand if and how the
coherence between 'memberOf' in user and 'member' in group are keeped. But
this is another theme... ;-)

So, saying that:

a) for samba < 4.6 or samba with 'unix_primary_group = no', group
 membership are:
 - POSIX primary group: 'Domain Users'
 - other membership:
   - 'Domain Users', automatically added
   - all group listed as 'memberOf', possibly nested-unpacked.

b) for samba >= and 'unix_primary_group = yes', group membership are:
 - POSIX primary group: gidNumber
 - other membership:
   - 'Domain Users', automatically added
   - all group listed as 'memberOf', possibly nested-unpacked.

So the only 'corner case' we have to take into account if we set a
POSIX primary group with gidNumber, and we forget to add it to 'other
membership' (eg, as 'memberOf'): in this case we can lead to a
situation where Windows/AD and POSIX membership diverge, because the
group in 'gidNumber' is not know to windows.

Clearly, final question, all this for member server; and for AD?

Various inline reply:

> if smb.conf is configured correctly. What you cannot do is have user private
> groups, you cannot have a user 'fred' and a group 'fred'

I've discovered this in my early Samba/AD experiment: i was very
'puzzled' by the fact that in NT domain users and groups have different
namespaces, while in AD there's a single namespace for users and

> Windows expects all users to have Domain Users as their primary group, so if
> you change '513' to another group RID, you will break this, this could cause
> problems on Windows clients.

Some links? I'm curious...


dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list