[Samba] Add gidNumber for group

Rowland penny rpenny at samba.org
Fri Jun 19 18:55:53 UTC 2020

On 19/06/2020 19:31, Robert E. Wooden via samba wrote:
> On 6/19/2020 10:00 AM, Rowland penny via samba wrote:
>> The easiest way is to upgrade to 4.12.x and then use '_*samba-tool 
>> group addunixattrs*_', otherwise you could use ldbedit or create an 
>> ldif and use ldbmodify or ldapmodify. Another option would be to use 
>> something like LAM.
>> Rowland
> Sorry, but, there is what you told me to do in your first email reply.
> AND it does not matter to me, who did what.
> I have already _deleted the "unixattrs" group that had been created_.
> Now, on to this.
> When I do this:
> root at dc01:~# samba-tool  group list
> Server Operators
> Distributed COM Users
> Group Policy Creator Owners
> Domain Computers
> Print Operators
> Cert Publishers
> DnsAdmins
> Incoming Forest Trust Builders
> Guests
> Event Log Readers
> Backup Operators
> Replicator
> Domain Admins
> Cryptographic Operators
> Windows Authorization Access Group
> Terminal Server License Servers
> RAS and IAS Servers
> Network Configuration Operators
> Allowed RODC Password Replication Group
> Remote Desktop Users
> Denied RODC Password Replication Group
> Enterprise Read-only Domain Controllers
> Performance Log Users
> Read-only Domain Controllers
> Enterprise Admins
> Users
> Account Operators
> Performance Monitor Users
> Domain Guests
> Domain Users
> Schema Admins
> Pre-Windows 2000 Compatible Access
> DnsUpdateProxy
> Certificate Service DCOM Access
> Domain Controllers
> Administrators
> I do not see a group "addunixattrs"?
> If I run your suggestion "/samba-tool group addunixattrs <groupnane> 
> <next_available_gidNumber>/" how do I determine the 
> "<next_available_gidNumber>" or is that "next number" found by your 
> command suggestion?
> Clearly, the "groupname" is 'Domain Users'.
> Finding the "next gidNumber" becomes the next question?
> Bob Wooden
All of this would have been a lot easier if I could have added the code 
to obtain the next available u/gidNumber ;-)

Oh well, it isn't there, so you have to add it manually, you need to 
find the next available gidNumber and use that, if Domain Users does not 
have a gidNumber, you probably do not have any yet, so you can use 
whatever number you like, but I would recommend using the Number that 
ADUC started from: '10000'

If you do have any gidNumbers in AD, you can find the highest with this 

ldbsearch -H /var/lib/samba/private/sam.ldb '(gidNumber=*)' | grep 
'gidNumber:' | sed 's/gidNumber: //' | sort | tail -n1

Add 1 to the output and use that.


More information about the samba mailing list