Prunk Dump
2019-Aug-19 08:45 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
Hi Samba Team ! My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id mapping between the server and the clients. On the client side it's very easy with the new smb.conf options : idmap config SAMDOM:unix_nss_info = yes idmap config SAMDOM:unix_primary_group = yes But on the server side winbind use the gidNumber of the group corresponding to the user's primaryGroupID. Not the gidNumber directly. So all my users have their primary group set to "Domain Users" as I have set the "Domain Users" gidNumber as say in the documentation. How can I change this behavior ? On my NFSv4 shares all the files are owned by the "Domain Users" group instead of the correct user primary group. Thanks for help ! Baptiste.
L.P.H. van Belle
2019-Aug-19 09:00 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
Hai, Fist of all, i must say it not very wise to have you NFS server on the AD-DC. I do about the same but my NFS server is on a member. Have you configured /etc/nsswitch.conf ? If not do that. If you run : id username I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users) So my GID and Primary group id are the same.> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump via samba > Verzonden: maandag 19 augustus 2019 10:46 > Aan: samba at lists.samba.org > Onderwerp: [Samba] winbind on DC : how use gidNumber instead > of primaryGroupID as user's primary group > > Hi Samba Team ! > > My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id > mapping between the server and the clients. > > On the client side it's very easy with the new smb.conf options : > > idmap config SAMDOM:unix_nss_info = yes > idmap config SAMDOM:unix_primary_group = yes > > But on the server side winbind use the gidNumber of the group > corresponding to the user's primaryGroupID. Not the gidNumber > directly. > > So all my users have their primary group set to "Domain Users" as I > have set the "Domain Users" gidNumber as say in the documentation. > > How can I change this behavior ? On my NFSv4 shares all the files are > owned by the "Domain Users" group instead of the correct user primary > group.I dont see any thing in correct here, its just how you use it. On my NFS the files are also owned by "domain users", exactly as i want. If its about rights on files/folders, use the other groups to allow access or deny access Use "domain users" to allow users to change files. Does this help you a bit?> > Thanks for help ! > > Baptiste. >Greetz, Louis
Rowland penny
2019-Aug-19 09:07 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
On 19/08/2019 09:45, Prunk Dump via samba wrote:> Hi Samba Team ! > > My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id > mapping between the server and the clients. > > On the client side it's very easy with the new smb.conf options : > > idmap config SAMDOM:unix_nss_info = yes > idmap config SAMDOM:unix_primary_group = yes > > But on the server side winbind use the gidNumber of the group > corresponding to the user's primaryGroupID. Not the gidNumber > directly. > > So all my users have their primary group set to "Domain Users" as I > have set the "Domain Users" gidNumber as say in the documentation. > > How can I change this behavior ? On my NFSv4 shares all the files are > owned by the "Domain Users" group instead of the correct user primary > group. > > Thanks for help ! > > Baptiste. >This is one of the reasons why you shouldn't use a DC as a fileserver, you cannot do what you require safely. The only way to do what you require is to replace your users primaryGroupID contents with the required groups gidNumber, but this will break Windows because Windows expects all users to be a member of Domain Users. I think the best idea is to work around this problem or use a Unix domain member as a fileserver ;-) Rowland
Rowland penny
2019-Aug-19 09:10 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
On 19/08/2019 10:00, L.P.H. van Belle via samba wrote:> Hai, > > Fist of all, i must say it not very wise to have you NFS server on the AD-DC. > > I do about the same but my NFS server is on a member. > > Have you configured /etc/nsswitch.conf ? > If not do that. > > If you run : id username > I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users) > So my GID and Primary group id are the same. > >Yes Louis, but you use Domain users as the primary group and as such, you do not need to set the gidNumber attribute for your users ;-) Rowland
Prunk Dump
2019-Aug-19 10:13 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
Le lun. 19 ao?t 2019 ? 11:01, L.P.H. van Belle via samba <samba at lists.samba.org> a ?crit :> > Hai, > > Fist of all, i must say it not very wise to have you NFS server on the AD-DC. > > I do about the same but my NFS server is on a member. > > Have you configured /etc/nsswitch.conf ? > If not do that. > > If you run : id username > I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users) > So my GID and Primary group id are the same. >This is a little bit off-thread but why it is not safe to run an NFSv4 server on a DC ? I know that with a samba file server you have some restrictions like using only encrypted communication. But the NFS services are mostly independent. Is this not safe only because samba cannot give correct uid/gid mapping on DC ? And is this case, is there any plan to make samba usable in this configuration ? The fact that samba as DC cannot be used as file server is a strange limitation no ? In the Windows server you don't have this problem. Is there some plan to make this possible ? I don't understand why this is so complicated. Samba use this winbind "primaryGroupID" gid mapping for the rights on the SYSVOL share ?> > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Prunk Dump via samba > > Verzonden: maandag 19 augustus 2019 10:46 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] winbind on DC : how use gidNumber instead > > of primaryGroupID as user's primary group > > > > Hi Samba Team ! > > > > My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id > > mapping between the server and the clients. > > > > On the client side it's very easy with the new smb.conf options : > > > > idmap config SAMDOM:unix_nss_info = yes > > idmap config SAMDOM:unix_primary_group = yes > > > > But on the server side winbind use the gidNumber of the group > > corresponding to the user's primaryGroupID. Not the gidNumber > > directly. > > > > So all my users have their primary group set to "Domain Users" as I > > have set the "Domain Users" gidNumber as say in the documentation. > > > > How can I change this behavior ? On my NFSv4 shares all the files are > > owned by the "Domain Users" group instead of the correct user primary > > group. > > I dont see any thing in correct here, its just how you use it. > On my NFS the files are also owned by "domain users", exactly as i want. > > If its about rights on files/folders, use the other groups to allow access or deny access > Use "domain users" to allow users to change files. > > Does this help you a bit?You're right. But sometimes I use some special shares where users from multiple groups can create files. And I only want that users from the same group can see the content of the file each other. I use the gid like on a classic Linux station folder.> > > > > Thanks for help ! > > > > Baptiste. > > > > > Greetz, > > Louis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaLast important thing. I use some script to manage my users from Linux. As I can't use the "id" command to get the user gidNumber on DC : What is the fastest command to get the user gidNumber value on a samba DC ? Thanks again !!! Regards, Baptiste.
Maybe Matching Threads
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group