[Samba] Group, idmap, unix_primary_group ...

Marco Gaiarin gaio at sv.lnf.it
Mon Jan 27 10:25:21 UTC 2020 

Mandi! Rowland penny via samba
  In chel di` si favelave...

> NO, NO, NO
> The AD part is correct, but as I said, there isn't really a Unix primary
> group, all Unix users have their own user private group e.g. user 'fred'
> would have a private group called 'fred'. This is not allowed in AD

Aaaahhhh... now i've understood what you are saying... no, sorry, this
is a misunderstaning... the use of 'private groups' is a 'convention'
of (rather all, indeed) modern distribution, where the add user
scripts (adduser, useradd) create a 'private group' for every users, i
think to manage better 'user separation'.

But these are NOT 'private groups', they are only groups created with
the same name of the users.

UNIX (or POSIX ;-) have the concept of 'primary group' (fourth field in
/etc/passwd) and 'other groups' (fourth field in /etc/group).


> > So the only 'corner case' we have to take into account if we set a
> > POSIX primary group with gidNumber, and we forget to add it to 'other
> > membership' (eg, as 'memberOf'): in this case we can lead to a
> > situation where Windows/AD and POSIX membership diverge, because the
> > group in 'gidNumber' is not know to windows.
> I think that means; the gidNumber you give to a user must be the gidNumber
> of group i.e. a group must have this gidNumber

This indeed. But i mean that if i add as gidNumber group 12345, that is
a windows group 'Some Group', and i forgot to add 'Some Group' to
'members', UNIX see 'Some Group' because is the primary group, but
windows don't see it because is not in 'member'.

As a 'good practice' i've ever had the UNIX primary group also listed
as 'supplimental group', so this is not a trouble at all...


> > Clearly, final question, all this for member server; and for AD?
> For a Unix domain member, yes and if 'AD' means 'Samba AD DC', then again
> yes.

No, i mean: normally i don't add any 'idmap config' stanzas in
smb.conf of a DC, so in particular no 'unix_primary_group = yes'.

So i suppose a DC simply ignore 'gidNumber'.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list