Fred F
2013-Jan-22 14:52 UTC
[Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
Hi, I am still experimenting with Samba 4 and I'd like to serve both Windows and Linux clients with Samba (standalone AD server). The Windows-side is already working well. For serving Linux-clients I need to store the users' uidNumber and gidNumber in the Active Directory. This is how I do that: 1. Create a user "test" with samba-tool 2. Get the internal UID which was assigned to this user by Samba through wbinfo 3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber 4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN With the correct nss_ldap setup (mainly attribute mappings) the Linux boxes can now get their passwd/shadow/group information directly from AD. The Linux user now has the exact same attributes and groups as the Windows user. Now the issue is that Samba needs a group with the same gidNumber as the uidNumber for each user to work correctly in this setup (see why in #9521 [1]). The only logical way of doing that is storing this gidNumber as the user's primary group in the AD. This way the user loses the membership in the group "Domain Users" (gidNumber 100), though - at least on the Linux side. Are there any thoughts on how to solve this? Is this maybe a Samba issue or is my setup just wrong? Regards, Frederik [1] https://bugzilla.samba.org/show_bug.cgi?id=9521
Gémes Géza
2013-Jan-22 18:45 UTC
[Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients
2013-01-22 15:52 keltez?ssel, Fred F ?rta:> Hi, > > I am still experimenting with Samba 4 and I'd like to serve both > Windows and Linux clients with Samba (standalone AD server). The > Windows-side is already working well. For serving Linux-clients I need > to store the users' uidNumber and gidNumber in the Active Directory. > > This is how I do that: > 1. Create a user "test" with samba-tool > 2. Get the internal UID which was assigned to this user by Samba through wbinfo > 3. Add the UID to CN=test,CN=Users,CN=DOMAIN as uidNumber > 4. Add gidNumber=100 (Domain Users) to CN=test,CN=Users,CN=DOMAIN > > With the correct nss_ldap setup (mainly attribute mappings) the Linux > boxes can now get their passwd/shadow/group information directly from > AD. The Linux user now has the exact same attributes and groups as the > Windows user. > > Now the issue is that Samba needs a group with the same gidNumber as > the uidNumber for each user to work correctly in this setup (see why > in #9521 [1]). The only logical way of doing that is storing this > gidNumber as the user's primary group in the AD. This way the user > loses the membership in the group "Domain Users" (gidNumber 100), > though - at least on the Linux side. > > Are there any thoughts on how to solve this? Is this maybe a Samba > issue or is my setup just wrong? > > > Regards, > Frederik > > [1] https://bugzilla.samba.org/show_bug.cgi?id=9521I don't agree, because users can be members of multiple groups, not just the group identified as their primary group Regards Geza Gemes