[Samba] Group, idmap, unix_primary_group ...

Rowland penny rpenny at samba.org
Mon Jan 27 10:55:09 UTC 2020

On 27/01/2020 10:25, Marco Gaiarin via samba wrote:
> Mandi! Rowland penny via samba
>    In chel di` si favelave...
>> NO, NO, NO
>> The AD part is correct, but as I said, there isn't really a Unix primary
>> group, all Unix users have their own user private group e.g. user 'fred'
>> would have a private group called 'fred'. This is not allowed in AD
> Aaaahhhh... now i've understood what you are saying... no, sorry, this
> is a misunderstaning... the use of 'private groups' is a 'convention'
> of (rather all, indeed) modern distribution, where the add user
> scripts (adduser, useradd) create a 'private group' for every users, i
> think to manage better 'user separation'.
> But these are NOT 'private groups', they are only groups created with
> the same name of the users.
> UNIX (or POSIX ;-) have the concept of 'primary group' (fourth field in
> /etc/passwd) and 'other groups' (fourth field in /etc/group).

No, that is the users private group

cat /etc/passwd | grep adminuser

cat /etc/group | grep '^adminuser'

However, people call it the 'primary group'

>>> So the only 'corner case' we have to take into account if we set a
>>> POSIX primary group with gidNumber, and we forget to add it to 'other
>>> membership' (eg, as 'memberOf'): in this case we can lead to a
>>> situation where Windows/AD and POSIX membership diverge, because the
>>> group in 'gidNumber' is not know to windows.
>> I think that means; the gidNumber you give to a user must be the gidNumber
>> of group i.e. a group must have this gidNumber
> This indeed. But i mean that if i add as gidNumber group 12345, that is
> a windows group 'Some Group', and i forgot to add 'Some Group' to
> 'members', UNIX see 'Some Group' because is the primary group, but
> windows don't see it because is not in 'member'.
> As a 'good practice' i've ever had the UNIX primary group also listed
> as 'supplimental group', so this is not a trouble at all...
I just give groups a gidNumber and then make users members of these groups
>>> Clearly, final question, all this for member server; and for AD?
>> For a Unix domain member, yes and if 'AD' means 'Samba AD DC', then again
>> yes.
> No, i mean: normally i don't add any 'idmap config' stanzas in
> smb.conf of a DC, so in particular no 'unix_primary_group = yes'.
> So i suppose a DC simply ignore 'gidNumber'.

No, a DC looks to idmap.ldb for IDs unless the user has a uidNumber in 
their object, or a group has a gidNumber.

An example:

root at dc4:~# getent passwd rowland

There is a slight problem with this, on a DC a group can be a group and 
a user. This is because on Windows, a group can own things (try that on 
a Unix machine). It is done like this so groups can own things in 
Sysvol, one of these groups is Domain Admins, so this is why I suggest 
not giving this group a gidNumber as it will turn the Windows group, 
that can own things, into a Unix group that cannot.


More information about the samba mailing list