Rowland Penny
2015-Jan-13 17:03 UTC
[Samba] Is there any problem that can arise from remapping gidNumber?
On 13/01/15 16:25, John Lewis wrote:> On 01/13/2015 11:10 AM, John Lewis wrote: >> On 01/13/2015 10:41 AM, Rowland Penny wrote: >>> On 13/01/15 15:11, John Lewis wrote: >>>> On 01/13/2015 09:23 AM, Rowland Penny wrote: >>>>> On 13/01/15 14:06, John Lewis wrote: >>>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote: >>>>>>> On 13/01/15 11:33, John Lewis wrote: >>>>>>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I >>>>>>>> did that because I could not change the integer in primaryGroupID wit >>>>>>>> ldbedt as root. >>>>>>>> >>>>>>>> I mapped to to a new attribute called gidNumber which has no specific >>>>>>>> meaning in samba. Is there any potential problems that can arise from >>>>>>>> doing that. Is there a better way to fix that problem? >>>>>>>> >>>>>>> Hmm, definitely going to need more info here, gidNumber has a specific >>>>>>> meaning to samba, depending on how you set up samba. >>>>>>> Rowland >>>>>>> >>>>>> I took the defaults except for rfc2307 which I enabled. I am running >>>>>> Samba Version 4.1.11-Debian. >>>>> Yes, but what as ?? an AD DC or in classic mode i.e. just like samba3 >>>>> Might be best if you post your smb.conf (sanitised ) >>>>> >>>>> Rowland >>>> I attached it to this email. >>>> >>>> >>> OK, so you are running samba4 as an AD DC, gidNumber definitely means >>> something and if you want to change a users primarygroup, you need to do >>> something like this: >>> >>> First give the group that you want to be the new primarygroup a >>> gidNumber (told you it means something) >>> next, make sure the user is a member of this group, if not, add user to >>> group >>> get the groups RID >>> change the users primaryGroupID attribute to the groups RID >>> AD will do the rest >>> >>> Rowland >>> >> What attribute is the group's RID? >> >> > I figured out that the RID was the last few numbers on the end of the > objectSid. > > How do I change the object Rid so I can change the GID of the group?You don't change the RID Every object in AD has an objectSid attribute, this consists of the the domain SID (this is unique to the domain) with the users/groups unique RID on the end. As standard, every users primaryGroupID is set to 513, this is the RID for Domain Users, so every users primary group is Domain users, even though they do not show as being a member in AD. If you want to change a users primary group, you need to add the user to a group, get the objectSid of this group and then change the contents of the primaryGroupID attribute to this RID. Having said all that, I think that you may be talking about AD from the Linux point of view, if so then that is a different thing all together. Rowland
John Lewis
2015-Jan-13 17:22 UTC
[Samba] Is there any problem that can arise from remapping gidNumber?
On 01/13/2015 12:03 PM, Rowland Penny wrote:> On 13/01/15 16:25, John Lewis wrote: >> On 01/13/2015 11:10 AM, John Lewis wrote: >> I figured out that the RID was the last few numbers on the end of the >> objectSid. >> >> How do I change the object Rid so I can change the GID of the group? > You don't change the RID > > Every object in AD has an objectSid attribute, this consists of the the > domain SID (this is unique to the domain) with the users/groups unique > RID on the end. > As standard, every users primaryGroupID is set to 513, this is the RID > for Domain Users, so every users primary group is Domain users, even > though they do not show as being a member in AD. If you want to change a > users primary group, you need to add the user to a group, get the > objectSid of this group and then change the contents of the > primaryGroupID attribute to this RID. > > Having said all that, I think that you may be talking about AD from the > Linux point of view, if so then that is a different thing all together. > > Rowland >I am talking about AD from a Linux point of view, and having a GID number of the group tied to the RID sounds like a can of worms. I want the POSIX stuff decoupled from the directory stuff so they get in each other's way.
Rowland Penny
2015-Jan-13 17:44 UTC
[Samba] Is there any problem that can arise from remapping gidNumber?
On 13/01/15 17:22, John Lewis wrote:> On 01/13/2015 12:03 PM, Rowland Penny wrote: >> On 13/01/15 16:25, John Lewis wrote: >>> On 01/13/2015 11:10 AM, John Lewis wrote: >>> I figured out that the RID was the last few numbers on the end of the >>> objectSid. >>> >>> How do I change the object Rid so I can change the GID of the group? >> You don't change the RID >> >> Every object in AD has an objectSid attribute, this consists of the the >> domain SID (this is unique to the domain) with the users/groups unique >> RID on the end. >> As standard, every users primaryGroupID is set to 513, this is the RID >> for Domain Users, so every users primary group is Domain users, even >> though they do not show as being a member in AD. If you want to change a >> users primary group, you need to add the user to a group, get the >> objectSid of this group and then change the contents of the >> primaryGroupID attribute to this RID. >> >> Having said all that, I think that you may be talking about AD from the >> Linux point of view, if so then that is a different thing all together. >> >> Rowland >> > I am talking about AD from a Linux point of view, and having a GID > number of the group tied to the RID sounds like a can of worms. > > I want the POSIX stuff decoupled from the directory stuff so they get in > each other's way.OK, you want your Linux users to be authenticated by your AD DC ? To do this you need to use rfc2307 attributes, these come as standard with samba4, but you may have to add IDMU to a windows AD server, but as you mentioned 'uidNumber' it sounds like you already have the rfc2307 attributes. The minimum attributes you need to add are, a 'gidNumber' attribute to Domain Users and any other AD groups you want to be visible to Linux, users also need a 'uidNumber' and a 'gidNumber', this 'gidNumber' would be one that you have given to a domain group. You do not need to do anything else on the DC, these numbers will be used automatically, but on a member server you need to setup samba to use these rfc2307 attributes, see the wiki. Rowland