samba - Oct 2014 - domain users "primary group" does not take effect in UNIX attributes (NIS)

Hello list,

using AD with rfc2307 provisioned and NIS extensions are available. In ADUC tool
I choose the group "Domain Admins" and click on the [UNIX Attributes]
tab. I activate it for my domain and choose the GID=500. When I execute on my
member server "net cache flush && getent group 500" I get the
result

domain admins:x:500:johndoe,name1,name2

So far so good, that means that domain group is available on the member server.
Here's an output of "getent passwd"...
[...]
johndoe:*:500:40000:John Doe:/home/MYDOM/johndoe:/bin/bash
[...]

Looks correct, the user "johndoe" has uid=500 and gid=40000. The gid
40000 is "domain users".

Now I want to change some UNIX attributes of that particular user. I open ADUC
tool, choose that user "johndoe", click on the [UNIX Attributes] tab
and make following changes there:

shell=/bin/false
home=/srv/some/thing/else
Primary Group=Domain Admins

Then I apply these settings and on the member server I do a restart of the
winbind service and check the results of "getent passwd" ...
[...]
johndoe:*:500:40000:John Doe:/srv/some/thing/else:/bin/false
[...]

The shell and home were applied correctly, but why doesn't the "primary
group" take effect ??? I would expect a line like that...
johndoe:*:500:500:John Doe:/srv/some/thing/else:/bin/false

I have tried with other groups, too but without success. Whatever I do choose as
"primary group" for a user in the [UNIX Attributes] tab, it does *not
take effect*. Is this a known bug?

Cheers,
Mirco

>>Whatever I do choose as "primary group" for a user in the
[UNIX Attributes] tab, it does *not take effect*. Is this a >> known bug?
What did you set as the "primairy group on the "Member of" Tab? 
Thats the group hou need to set.


Louis


 
>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: donderdag 30 oktober 2014 1:18
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] domain users "primary group" does not take 
>effect in UNIX attributes (NIS)
>
>Hello list,
>
>using AD with rfc2307 provisioned and NIS extensions are 
>available. In ADUC tool I choose the group "Domain Admins" and 
>click on the [UNIX Attributes] tab. I activate it for my 
>domain and choose the GID=500. When I execute on my member 
>server "net cache flush && getent group 500" I get the
result
>
>domain admins:x:500:johndoe,name1,name2
>
>So far so good, that means that domain group is available on 
>the member server. Here's an output of "getent passwd"...
>[...]
>johndoe:*:500:40000:John Doe:/home/MYDOM/johndoe:/bin/bash
>[...]
>
>Looks correct, the user "johndoe" has uid=500 and gid=40000. 
>The gid 40000 is "domain users".
>
>Now I want to change some UNIX attributes of that particular 
>user. I open ADUC tool, choose that user "johndoe", click on 
>the [UNIX Attributes] tab and make following changes there:
>
>shell=/bin/false
>home=/srv/some/thing/else
>Primary Group=Domain Admins
>
>Then I apply these settings and on the member server I do a 
>restart of the winbind service and check the results of 
>"getent passwd" ...
>[...]
>johndoe:*:500:40000:John Doe:/srv/some/thing/else:/bin/false
>[...]
>
>The shell and home were applied correctly, but why doesn't the 
>"primary group" take effect ??? I would expect a line like that...
>johndoe:*:500:500:John Doe:/srv/some/thing/else:/bin/false
>
>I have tried with other groups, too but without success. 
>Whatever I do choose as "primary group" for a user in the 
>[UNIX Attributes] tab, it does *not take effect*. Is this a known bug?
>
>Cheers,
>Mirco
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

> What did you set as the "primairy group on the "Member of"
Tab?
> Thats the group hou need to set.
Hi Louis,

the "Set Primary Group" on the tab [Member of] is not usable, it's
greyed out. I cannot click/choose anything on that area. I tested on several
user accounts and with different Domain Admins account logged-in and using ADUC.
But that makes sense, as in "windows world" you don't need the
primary group as the text in that window is explaining. I think this setting has
to be done in [UNIX Attributes] tab as it it counts for UNIX accounts. But how?

Mirco

and you did klik on some other groups. because for me it's also greyed out,
but
when i klik on an other group im able to select an other one.

the primairy group is the group (gid) which will be set on linux. 
Not the unix group you selected at the Unix tab. 

Louis


>-----Oorspronkelijk bericht-----
>Van: micromegas at mail333.com 
>[mailto:samba-bounces at lists.samba.org] Namens ?icro MEGAS
>Verzonden: donderdag 30 oktober 2014 9:23
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] domain users "primary gro?up" does not 
>take effect ?in UNIX attributes (NIS)
>
>> What did you set as the "primairy group on the "Member
of" Tab?
>> Thats the group hou need to set.
>
>Hi Louis,
>
>the "Set Primary Group" on the tab [Member of] is not usable, 
>it's greyed out. I cannot click/choose anything on that area. 
>I tested on several user accounts and with different Domain 
>Admins account logged-in and using ADUC. But that makes sense, 
>as in "windows world" you don't need the primary group as the 
>text in that window is explaining. I think this setting has to 
>be done in [UNIX Attributes] tab as it it counts for UNIX 
>accounts. But how?
>
>Mirco
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

Hi Mirco,

ADUC wrecked some of my users. Apparently it does not exactly comply 
RFC2307. Try something like:

ldapsearch -b "dc=samdom,dc=example,dc=com" -H ldap://localhost -D 
"cn=Administrator,cn=Users,dc=samdom,dc=example,dc=com" -W -x 
'(sAMAccountName=johndoe)'

to figure out, what exactly is in LDAP.

Regards,
  - lars.

Am 30.10.2014 01:17, schrieb ?icro MEGAS:
> Hello list,
>
> using AD with rfc2307 provisioned and NIS extensions are available. In ADUC
tool I choose the group "Domain Admins" and click on the [UNIX
Attributes] tab. I activate it for my domain and choose the GID=500. When I
execute on my member server "net cache flush && getent group
500" I get the result
>
> domain admins:x:500:johndoe,name1,name2
>
> So far so good, that means that domain group is available on the member
server. Here's an output of "getent passwd"...
> [...]
> johndoe:*:500:40000:John Doe:/home/MYDOM/johndoe:/bin/bash
> [...]
>
> Looks correct, the user "johndoe" has uid=500 and gid=40000. The
gid 40000 is "domain users".
>
> Now I want to change some UNIX attributes of that particular user. I open
ADUC tool, choose that user "johndoe", click on the [UNIX Attributes]
tab and make following changes there:
>
> shell=/bin/false
> home=/srv/some/thing/else
> Primary Group=Domain Admins
>
> Then I apply these settings and on the member server I do a restart of the
winbind service and check the results of "getent passwd" ...
> [...]
> johndoe:*:500:40000:John Doe:/srv/some/thing/else:/bin/false
> [...]
>
> The shell and home were applied correctly, but why doesn't the
"primary group" take effect ??? I would expect a line like that...
> johndoe:*:500:500:John Doe:/srv/some/thing/else:/bin/false
>
> I have tried with other groups, too but without success. Whatever I do
choose as "primary group" for a user in the [UNIX Attributes] tab, it
does *not take effect*. Is this a known bug?
>
> Cheers,
> Mirco
>

Hello Mirco,

Am 30.10.2014 um 01:17 schrieb ?icro MEGAS:
> The shell and home were applied correctly, but why doesn't the
> "primary group" take effect ??? I would expect a line like
that...
> johndoe:*:500:500:John Doe:/srv/some/thing/else:/bin/false
Because getent takes the value of 'primaryGroupID' and not
'gidNumber'!


gidNumber: This is the attribute behind the 'Primary group name/GID'
filed on the Unix Attributes tab.


primaryGroupID: This is the Windows primary group of an user account. To
change this, go to the 'MemberOf' tab in ADUC, add the 'Domain
Admins'
group, mark it in the list and then click the button 'set primary
group". See http://technet.microsoft.com/en-us/library/cc771489.aspx



Regards,
Marc