[Samba] Group, idmap, unix_primary_group ...

Rowland penny rpenny at samba.org
Fri Jan 24 17:34:36 UTC 2020 

On 24/01/2020 16:49, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>
>> OK, good point, try it this way:
> Ahem, no Rowland, sorry, but you make me only more confusion. But it is
> surely my fault.
No, I must not be explaining it correctly.
>
>
> Restart from ground.
>
> 1) Seems to me that both Windows/AD and POSIX have the concept of 'primary
> group'; in a RFC2307 schema:
>   AD Primary Group is: primaryGroupID
>   POSIX Primary Group is: gidNumber

NO, NO, NO

The AD part is correct, but as I said, there isn't really a Unix primary 
group, all Unix users have their own user private group e.g. user 'fred' 
would have a private group called 'fred'. This is not allowed in AD

Before Samba 4.6.0 the gidNumber was virtually ignored by Unix and the 
users group was set from the users primaryGroupID in AD, this meant that 
everyone (like Windows) had the user private group 'Domain Users'

 From Samba 4.6.0, this continued unless you give users a gidNumber 
attribute and configure smb.conf to use it, this group will then be used 
as the users private group (aka primary group)

>
> The concepts are not exactly the same, so some 'mappings' have to be
> done. Also, for some internal Windows/AD, it is hardly advised to use
> for AD Primary Group a group different from 'Domain Users'.
This is correct
>
> For samba < 4.6, there's no way to have a POSIX primary group different
> from AD Primary group (and so, 'Domain Users'): simply 'gidNumber' get
> ignored and forced to be 'Domain Users'.
Yes
>
>
> 2) surely both Windows/AD and POSIX have the concept of 'groups'; in
> the same RFC2307 schema, they are expressed with:
>   in user object: memberOf
>   in group object: member
>
> NOTE that the group listed as 'primaryGroupID' IS NOT listed as
> 'memberOf' (i suppose this is a constraint of Windows/AD); this is
> different from POSIX where you can list the same group as primary group
> and as 'additional group'.
Yes, Windows and Unix (please stop calling it POSIX, it confuses me) 
have 'groups'. 'memberOf' & 'member' are links, if a 'member' attribute 
is created in a group object containing the DN of a user or group, a 
'memberOf' attribute is automatically created in the user or group, 
containing the groups DN. If you check the 'Domain Users' object in AD, 
you will not find any 'member' attributes and you will not find any 
'memberOf' attributes in AD pointing to 'Domain Users', all users are 
members of Domain Users through the users primaryGroupID attribute.
>
> Samba here does only the 'unpacking' of nested group membership (a
> concept not present in POSIX).
Yes, on Unix, a group cannot be a member of another group.
>
> Only to make a note, i'm very curious to understand if and how the
> coherence between 'memberOf' in user and 'member' in group are keeped. But
> this is another theme... ;-)
>
I think I may have answered that above ;-)
> So, saying that:
>
> a) for samba < 4.6 or samba with 'unix_primary_group = no', group
>   membership are:
>   - POSIX primary group: 'Domain Users'
>   - other membership:
>     - 'Domain Users', automatically added
>     - all group listed as 'memberOf', possibly nested-unpacked.
>
> b) for samba >= and 'unix_primary_group = yes', group membership are:
>   - POSIX primary group: gidNumber
>   - other membership:
>     - 'Domain Users', automatically added
>     - all group listed as 'memberOf', possibly nested-unpacked.
>
> So the only 'corner case' we have to take into account if we set a
> POSIX primary group with gidNumber, and we forget to add it to 'other
> membership' (eg, as 'memberOf'): in this case we can lead to a
> situation where Windows/AD and POSIX membership diverge, because the
> group in 'gidNumber' is not know to windows.
I think that means; the gidNumber you give to a user must be the 
gidNumber of group i.e. a group must have this gidNumber
>
>
> Clearly, final question, all this for member server; and for AD?
For a Unix domain member, yes and if 'AD' means 'Samba AD DC', then 
again yes.
>
>
>
> Various inline reply:
>
>> if smb.conf is configured correctly. What you cannot do is have user private
>> groups, you cannot have a user 'fred' and a group 'fred'
> I've discovered this in my early Samba/AD experiment: i was very
> 'puzzled' by the fact that in NT domain users and groups have different
> namespaces, while in AD there's a single namespace for users and
> groups...
Forget most of what you learnt from the old NT4-style domains, AD is 
quite different.
>
>
>> Windows expects all users to have Domain Users as their primary group, so if
>> you change '513' to another group RID, you will break this, this could cause
>> problems on Windows clients.
> Some links? I'm curious...
>
Sorry, I don't have any links to hand, just my experience.

Rowland

More information about the samba mailing list