On 10/07/15 09:36, Pisch Tamás wrote:> Hello Marc,
>
> thank you for your answer. I already added gidNumber 513 for the group. Now
> I added the two additional attribute for the group. I installed RSAT, and
> enabled the necessary modules according to the Samba wiki. I opened AD
> users and computers, and Domain Users' properties. When I click on the
UNIX
> Attributes tab, I get an error: Execution denied. On the panel I see: NIS
> Domain: xxx; GID: 513; Members: empty list.
> When I add members, it accepts silently, but when I reopen this window, the
> members list is empty again.
>
> Thanks,
> Tamas.
>
> 2015-07-09 12:46 GMT+02:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>
>> Hello Pisch,
>>
>> Am 09.07.2015 um 11:42 schrieb Pisch Tamás:
>>> I had old files with group Domain Users. I see now 513 as group for
>> them. I
>>> realised that in the ldap database, the "well known"
groups don't have
>>> gidNumber. The users and grups which I created in Samba3 seems ok,
they
>>> have correct gidNumber and uidNumber, and I can use chown locally
with
>> them.
>>> I added the gidNumber attribute to the "well known"
groups manually, but
>>> Domain Users not yet resolvable locally.
>> The Domain Users group is not migrated - it new created. Assign it the
>> same gidNumber value, than you had in your previous installation. The
>> easiest way is to do this via the Unix Attributes tab in ADUC.
>>
>> Beside the gidNumber, ADUC adds two more attributes:
>> msSFU30NisDomain: samdom
>> msSFU30Name: Domain Users
>>
>>
>> See
>> https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
>>
>>
>> Regards,
>> Marc
>>
Hi, I think I can answer this, you have upgraded to AD and if you
examine the 'Domain Users' object in AD, you will find that it
doesn't
show as having any members, yet every user is automatically a member of
Domain Users. This happens because every user has a 'primaryGroupID'
attribute containing the RID '513', this is what makes them members of
Domain Users.
You can change the users 'primaryGroupID' attribute, but you first have
to add them to another group, then change the users 'primaryGroupID'
attribute to contain the RID of the new group, but there is a sting in
the tail. AD expects all users to be members of Domain Users and quite a
lot will not work correctly if they aren't, so you would then have to
add them as members of Domain Users, they would now show up as members.
You have now gone around in a circle to get back to where you where
before you started, it would have been easier to just add the user to
the new group.
Rowland