[Samba] Problems with groups, minimum gidnumber?

Fri May 15 15:33:22 UTC 2020

On Fri, 15 May 2020, Rowland penny via samba wrote:

> On 15/05/2020 13:48, Harald Hannelius wrote:
>> 
>> I created a script that looped on 'getent passwd' from the old DC. It 
>> called samba-tool and pdbedit to add the users;
>> 
>> samba-tool user create $username Some2pass/e --use-username-as-cn 
>> --nis-domain=sad --unix-home=$home --uid-number=$uid 
>> --login-shell=/bin/bash --gid-number=100 --given-name="${givenname}" 
>> --surname="${surname}" --gecos "$gecos"
>> 
>> pdbedit --set-nt-hash=$passhash $username
>
> Two things wrong with that, you do not need to use pdbedit  to set the users 
> password, the samba-tool command does it for you and you have set the every 
> users gidNumber to '100'. The '100' comes from idmap.ldb on a DC:

If there's a way to copy the sambaNTPassword password-hash from the LDAP for 
the Samba 3 DC with samba-tool I would have loved to find that information 
long ago :)

> dn: CN=S-1-5-21-1768301897-3342589593-1064908849-513
> cn: S-1-5-21-1768301897-3342589593-1064908849-513
> objectClass: sidMap
> objectSid: S-1-5-21-1768301897-3342589593-1064908849-513
> type: ID_TYPE_GID
> xidNumber: 100
> distinguishedName: CN=S-1-5-21-1768301897-3342589593-1064908849-513
>
> This is where 'Domain Users' (the RID 513) is mapped to '100' (the Unix ID 
> for the 'users' group)
>
> Unless you have added a gidNumber attribute containing '100' to a group in 
> AD, no users have a group, but even if you have, the '100' is less than the 
> DOMAIN low range '500', so it and all users will be ignored.

So the "idmap config sad:range" is for both uid's and gid's? There's no 
separate range for gid's?

> If you are now saying, but I do get users, then you probably have the same 
> users in AD and /etc/passwd, this is not allowed, delete them from 
> /etc/passwd.

No, they are not in /etc/passwd on neither the DS or the Domain 
Member-server. I added them with samba-tool.

>>>> I have some 300 + groups that I'm trying to get migrated to our Samba 4 
>>>> AD.
>>> Why do need over 300 groups ?
>> 
>> We have an intra filesystem that is over 15 years old.
> And you are trying to make AD work like your old ldap ;-)

I guess so, yes.

>>>> I can create the groups, but it looks from the domain-member's side that 
>>>> groups don't work as I expect them to.
>
> Please read this: 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> and this: https://wiki.samba.org/index.php/Idmap_config_ad

I have read these, and followed the instructions. What I don't understand is 
why one user uid 510, gid 100 works with all groups and another user with 
uid 527, gid 100 doesn't.

What isn't clear is are really uid's and gid's in the same number space in 
Samba? What if a user has the same uid as a group's gid?

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020