samba - Nov 2015 - How to configure Winbind to use uidNumber and gidNumber

2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
> On 11/11/15 06:52, Michael Adam wrote:
>
>> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>>
>>> On 10/11/15 13:42, mathias dufresne wrote:
>>>
>>>> Thank you for this quick answer Louis.
>>>>
>>>> On DC:
>>>>
>>>> On DC I had to add one line to have winbind retrieving
uidNumber AD
>>>> field
>>>> rather than having Winbind chosing some random UID for my
users.
>>>> This line is:
>>>>
>>>> idmap_ldb:use rfc2307 = yes
>>>>
>>>> as explained in
>>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>>>
>>>> That's a start.
>>>>
>>>> Unfortunately winbind is still giving my users GID number set
to 100,
>>>> which
>>>> is "Domain Users" group, when my users have gidNumber
attribute set.
>>>>
>>> unfortunately the contents of the 'gidNumber' attribute is
not used for
>>> the
>>> users GID, you need to give 'Domain Users' a gidNumber and
this is what
>>> will
>>> be used.
>>>
>> That is not unfortunate, but the right thing to do (imho),
>> because the domain users group (or whatever the primary AD
>> level group is for the user) is what will appear in the access
>> token when the user accesses a file server.
>>
>
> Well, it is unfortunate if you expected it to be used, but yes it is the
> right thing to do.

No more comment. For today :p

>
>
>
>> We can think about making the use of the gidNumber attribute
>> a configurable option (at least for the start in the domain
>> member case with idmap_ad). But again, the right thing to do
>> is use the SID-level primary group for primary gid of the unix
>> user.
>>
>
> You don't actually need the gidNumber, every users primary group is
> 'Domain Users', you can change this, but it is slightly complicated
and it
> breaks things on windows.

Seriously Rowland...

First it is not complicated, changing one attribute value for one user or
for all users in AD DB is not something complicated. A bit of LDIF, a bit
of ldbmodify, nothing complex.
But I agree changing pirmaryGroupID value would be dangerous. Dangerous
because of my lack of knowledge about Windows world.
To avoid side effect I would change that value and add a memberOf attribute
to my users for they are still in "Domain Users". Doing that I could
use
Winbind to retrieve my AD users on UNIX systems, they would have something
else than 100 as GID and they would be in "Domain Users". Until some
users
is not well created by some dude not paid enough to read carefully the doc
or too tired to pay attention. Then to understand what is missing for this
newly-created-user would be fun...

I expect the fact in RFC2307 there is a dedicated attribute to host UNIX
Primary Group ID (namely gidNumber) is to avoid all (and most certainly
more) issues described earlier.

>
>
>
>>
>> Same for shell, in AD loginShell is defined to /bin/bash for all my
UNIX
>>>> users and winbind gives /bin/false on DC. Perhaps that's
what it
>>>> expected
>>>> by that tool but I still found that behaviour very confusing.
>>>> Please note I know there is a "template shell" option
in smb.conf.
>>>> Unfortunately this option is, I think, to set all shell equal
to that
>>>> template, for all users. That's not what we need. If some
user in AD
>>>> wants
>>>> to use CSH, this user must have a shell set to /bin/csh (or
wherever it
>>>> is
>>>> installed), if some user has to be set to /bin/false, it must
be. And
>>>> for
>>>> most of our users they would receive /bin/bash because it is
what we
>>>> configure in loginShell by default.
>>>>
>>> You can only use the 'template' lines on the DC, if you
need to have
>>> different home dirs or shells, use a member server.
>>>
>> As discussed elsewhere, we should add the feature to use the AD
>> attributes (configurably).  Someone has to find the time to
>> implement the changes.
>>
>
> I think this really needs to be given a bit more priority than it has in
> the past, get this working and you get a good replacement for the now
> defunct SBS server.
>
> Rowland
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 12/11/15 13:22, mathias dufresne wrote:
>
>
> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com
> <mailto:rowlandpenny241155 at gmail.com>>:
>
>     On 11/11/15 06:52, Michael Adam wrote:
>
>         On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>
>             On 10/11/15 13:42, mathias dufresne wrote:
>
>                 Thank you for this quick answer Louis.
>
>                 On DC:
>
>                 On DC I had to add one line to have winbind retrieving
>                 uidNumber AD field
>                 rather than having Winbind chosing some random UID for
>                 my users.
>                 This line is:
>
>                 idmap_ldb:use rfc2307 = yes
>
>                 as explained in
>                 https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>
>                 That's a start.
>
>                 Unfortunately winbind is still giving my users GID
>                 number set to 100, which
>                 is "Domain Users" group, when my users have
gidNumber
>                 attribute set.
>
>             unfortunately the contents of the 'gidNumber' attribute
is
>             not used for the
>             users GID, you need to give 'Domain Users' a gidNumber
and
>             this is what will
>             be used.
>
>         That is not unfortunate, but the right thing to do (imho),
>         because the domain users group (or whatever the primary AD
>         level group is for the user) is what will appear in the access
>         token when the user accesses a file server.
>
>
>     Well, it is unfortunate if you expected it to be used, but yes it
>     is the right thing to do.
>
>
> No more comment. For today :p
>
>
>
>
>         We can think about making the use of the gidNumber attribute
>         a configurable option (at least for the start in the domain
>         member case with idmap_ad). But again, the right thing to do
>         is use the SID-level primary group for primary gid of the unix
>         user.
>
>
>     You don't actually need the gidNumber, every users primary group
>     is 'Domain Users', you can change this, but it is slightly
>     complicated and it breaks things on windows.
>
>
> Seriously Rowland...
>
> First it is not complicated, changing one attribute value for one user 
> or for all users in AD DB is not something complicated. A bit of LDIF, 
> a bit of ldbmodify, nothing complex.
Go on, try it, change a users primary group id by just changing their 
'primaryGroupID', you will find it Doesn't work, it is more involved
than that.
> But I agree changing pirmaryGroupID value would be dangerous. 
> Dangerous because of my lack of knowledge about Windows world.
If you have windows users and change a users primary group id, it could 
break something because windows expects every user to be a member of 
Domain Users.
> To avoid side effect I would change that value and add a memberOf 
> attribute to my users for they are still in "Domain Users". Doing
that
> I could use Winbind to retrieve my AD users on UNIX systems, they 
> would have something else than 100 as GID and they would be in "Domain
> Users". Until some users is not well created by some dude not paid 
> enough to read carefully the doc or too tired to pay attention. Then 
> to understand what is missing for this newly-created-user would be fun...
You could do this, but it could get terribly messy.
>
> I expect the fact in RFC2307 there is a dedicated attribute to host 
> UNIX Primary Group ID (namely gidNumber) is to avoid all (and most 
> certainly more) issues described earlier.
Yes, but you do not need the gidNumber.

Rowland

2015-11-12 14:42 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com>:
> On 12/11/15 13:22, mathias dufresne wrote:
>
>>
>>
>> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at
gmail.com
>> <mailto:rowlandpenny241155 at gmail.com>>:
>>
>>
>>     On 11/11/15 06:52, Michael Adam wrote:
>>
>>         On 2015-11-10 at 13:57 +0000, Rowland Penny wrote:
>>
>>             On 10/11/15 13:42, mathias dufresne wrote:
>>
>>                 Thank you for this quick answer Louis.
>>
>>                 On DC:
>>
>>                 On DC I had to add one line to have winbind retrieving
>>                 uidNumber AD field
>>                 rather than having Winbind chosing some random UID for
>>                 my users.
>>                 This line is:
>>
>>                 idmap_ldb:use rfc2307 = yes
>>
>>                 as explained in
>>                
https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
>>
>>                 That's a start.
>>
>>                 Unfortunately winbind is still giving my users GID
>>                 number set to 100, which
>>                 is "Domain Users" group, when my users have
gidNumber
>>                 attribute set.
>>
>>             unfortunately the contents of the 'gidNumber'
attribute is
>>             not used for the
>>             users GID, you need to give 'Domain Users' a
gidNumber and
>>             this is what will
>>             be used.
>>
>>         That is not unfortunate, but the right thing to do (imho),
>>         because the domain users group (or whatever the primary AD
>>         level group is for the user) is what will appear in the access
>>         token when the user accesses a file server.
>>
>>
>>     Well, it is unfortunate if you expected it to be used, but yes it
>>     is the right thing to do.
>>
>>
>> No more comment. For today :p
>>
>>
>>
>>
>>         We can think about making the use of the gidNumber attribute
>>         a configurable option (at least for the start in the domain
>>         member case with idmap_ad). But again, the right thing to do
>>         is use the SID-level primary group for primary gid of the unix
>>         user.
>>
>>
>>     You don't actually need the gidNumber, every users primary
group
>>     is 'Domain Users', you can change this, but it is slightly
>>     complicated and it breaks things on windows.
>>
>>
>> Seriously Rowland...
>>
>> First it is not complicated, changing one attribute value for one user
or
>> for all users in AD DB is not something complicated. A bit of LDIF, a
bit
>> of ldbmodify, nothing complex.
>>
>
> Go on, try it, change a users primary group id by just changing their
> 'primaryGroupID', you will find it Doesn't work, it is more
involved than
> that.

I won't, there are tools to do what I want in nices ways (nslcd, sssd at
least).
Winbind is really close to give us that possibility too and I'm almost sure
this tool will also be improved one day to give us usage of all rfc2307
attributes.

>
> But I agree changing pirmaryGroupID value would be dangerous. Dangerous
>> because of my lack of knowledge about Windows world.
>>
>
> If you have windows users and change a users primary group id, it could
> break something because windows expects every user to be a member of Domain
> Users.
>
> To avoid side effect I would change that value and add a memberOf
>> attribute to my users for they are still in "Domain Users".
Doing that I
>> could use Winbind to retrieve my AD users on UNIX systems, they would
have
>> something else than 100 as GID and they would be in "Domain
Users". Until
>> some users is not well created by some dude not paid enough to read
>> carefully the doc or too tired to pay attention. Then to understand
what is
>> missing for this newly-created-user would be fun...
>>
>
> You could do this, but it could get terribly messy.

In fact I won't.

>
>
>
>> I expect the fact in RFC2307 there is a dedicated attribute to host
UNIX
>> Primary Group ID (namely gidNumber) is to avoid all (and most certainly
>> more) issues described earlier.
>>
>
> Yes, but you do not need the gidNumber.

In fact, I do.

>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>