samba - Jun 2015 - (Samba 4.2.2) wbinfo -i does not get the (correct) unix primary group gid

Hi Rowland,
> Gesendet: Freitag, 19. Juni 2015 um 12:22 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] (Samba 4.2.2) wbinfo -i does not get the (correct)
unix primary group gid
>
> >   
> 
> OK, I now have a VM running Centos 7 with Sernet-Samba 4.2.2, this is 
> setup just like I would setup a Debian client and it works, 'wbinfo -i 
> rowland' returns nearly the same result as on a Debian client i.e. 
> Centos returns the Display Name as well.
> 
> Centos:
> wbinfo -i rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> 
> Debian:
> wbinfo -i rowland
> rowland:*:10000:10000::/home/rowland:/bin/bash
> 
> 'id rowland' doesn't work on Centos, but I am sure that is only
because
> I haven't yet setup PAM.
> 
> So, we need to know just how you installed samba, what packages have you 
> installed ?
> 
Sernet-Samba 4.2.2 on CentOS7 here, too. The other machine is Sernet-Samba
3.3.15 on CentOS 5.10.

In your AD setup: what is gidNumber and primaryGroupID for user rowland?

regards

Frank

On 19/06/15 12:26, Frank Grantz wrote:
> Hi Rowland,
>
>> Gesendet: Freitag, 19. Juni 2015 um 12:22 Uhr
>> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
>> An: samba at lists.samba.org
>> Betreff: Re: [Samba] (Samba 4.2.2) wbinfo -i does not get the (correct)
unix primary group gid
>>
>>>    
>> OK, I now have a VM running Centos 7 with Sernet-Samba 4.2.2, this is
>> setup just like I would setup a Debian client and it works, 'wbinfo
-i
>> rowland' returns nearly the same result as on a Debian client i.e.
>> Centos returns the Display Name as well.
>>
>> Centos:
>> wbinfo -i rowland
>> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
>>
>> Debian:
>> wbinfo -i rowland
>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>
>> 'id rowland' doesn't work on Centos, but I am sure that is
only because
>> I haven't yet setup PAM.
>>
>> So, we need to know just how you installed samba, what packages have
you
>> installed ?
>>
> Sernet-Samba 4.2.2 on CentOS7 here, too. The other machine is Sernet-Samba
3.3.15 on CentOS 5.10.
>
> In your AD setup: what is gidNumber and primaryGroupID for user rowland?
>
> regards
>
> Frank
>
OK, this my object in AD with the relevant attributes:

dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
primaryGroupID: 513
uid: rowland
msSFU30Name: rowland
msSFU30NisDomain: example
uidNumber: 10000
gidNumber: 10000
loginShell: /bin/bash
unixUserPassword: ABCD!efgh12345$67890
unixHomeDirectory: /home/rowland

And this is the 'Domain Users' object:

dn: CN=Domain Users,CN=Users,DC=example,DC=com
msSFU30NisDomain: example
msSFU30Name: Domain Users
gidNumber: 10000

With AD, all users are automatically members of 'Domain Users' even 
though they do not show as members in the 'Domain Users' object. If you 
change a users 'primaryGroupID' from 513 to the RID of another group, 
you must add the user to the 'Domain Users' group as a member, it breaks
things if you don't :-)

What you need to get your head around is:
RID = windows user or group
uidNumber = Unix user
gidNumber = Unix group
gidNumber in users object = users Unix primary group, not to be confused 
with the 'primaryGroupID' attribute

Rowland

Hi Rowland,
> Gesendet: Freitag, 19. Juni 2015 um 13:52 Uhr
> Von: "Rowland Penny" <rowlandpenny at googlemail.com>
> An: samba at lists.samba.org
> Betreff: Re: [Samba] (Samba 4.2.2) wbinfo -i does not get the (correct)
unix primary group gid
>
> On 19/06/15 12:26, Frank Grantz wrote:
> > Hi Rowland,
> >
> >> Gesendet: Freitag, 19. Juni 2015 um 12:22 Uhr
> >> Von: "Rowland Penny" <rowlandpenny at
googlemail.com>
> >> An: samba at lists.samba.org
> >> Betreff: Re: [Samba] (Samba 4.2.2) wbinfo -i does not get the
(correct) unix primary group gid
> >>
> >>>    
> >> OK, I now have a VM running Centos 7 with Sernet-Samba 4.2.2, this
is
> >> setup just like I would setup a Debian client and it works,
'wbinfo -i
> >> rowland' returns nearly the same result as on a Debian client
i.e.
> >> Centos returns the Display Name as well.
> >>
> >> Centos:
> >> wbinfo -i rowland
> >> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> >>
> >> Debian:
> >> wbinfo -i rowland
> >> rowland:*:10000:10000::/home/rowland:/bin/bash
> >>
> >> 'id rowland' doesn't work on Centos, but I am sure
that is only because
> >> I haven't yet setup PAM.
> >>
> >> So, we need to know just how you installed samba, what packages
have you
> >> installed ?
> >>
> > Sernet-Samba 4.2.2 on CentOS7 here, too. The other machine is
Sernet-Samba 3.3.15 on CentOS 5.10.
> >
> > In your AD setup: what is gidNumber and primaryGroupID for user
rowland?
> >
> > regards
> >
> > Frank
> >
> 
> OK, this my object in AD with the relevant attributes:
> 
> dn: CN=Rowland Penny,CN=Users,DC=example,DC=com
> primaryGroupID: 513
> uid: rowland
> msSFU30Name: rowland
> msSFU30NisDomain: example
> uidNumber: 10000
> gidNumber: 10000
> loginShell: /bin/bash
> unixUserPassword: ABCD!efgh12345$67890
> unixHomeDirectory: /home/rowland
> 
> And this is the 'Domain Users' object:
> 
> dn: CN=Domain Users,CN=Users,DC=example,DC=com
> msSFU30NisDomain: example
> msSFU30Name: Domain Users
> gidNumber: 10000
> 
> With AD, all users are automatically members of 'Domain Users' even
> though they do not show as members in the 'Domain Users' object. If
you
> change a users 'primaryGroupID' from 513 to the RID of another
group,
> you must add the user to the 'Domain Users' group as a member, it
breaks
> things if you don't :-)
> 
> What you need to get your head around is:
> RID = windows user or group
> uidNumber = Unix user
> gidNumber = Unix group
> gidNumber in users object = users Unix primary group, not to be confused 
> with the 'primaryGroupID' attribute
> 
> Rowland
> 
In your setup  CN=Rowland Penny has  gidNumber: 10000 - which is coincidentally
the same gidNumber that CN=Domain Users has.

If you change one of these numbers you will get different results with different
versions of wbinfo. The question to me is: Do i have to change groups in my AD
or will wbinfo/winbind change in a way that i will behave like the old version
in this point again.

regards

Frank