mathias dufresne
2015-Nov-12 13:22 UTC
[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 11/11/15 06:52, Michael Adam wrote: > >> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote: >> >>> On 10/11/15 13:42, mathias dufresne wrote: >>> >>>> Thank you for this quick answer Louis. >>>> >>>> On DC: >>>> >>>> On DC I had to add one line to have winbind retrieving uidNumber AD >>>> field >>>> rather than having Winbind chosing some random UID for my users. >>>> This line is: >>>> >>>> idmap_ldb:use rfc2307 = yes >>>> >>>> as explained in >>>> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >>>> >>>> That's a start. >>>> >>>> Unfortunately winbind is still giving my users GID number set to 100, >>>> which >>>> is "Domain Users" group, when my users have gidNumber attribute set. >>>> >>> unfortunately the contents of the 'gidNumber' attribute is not used for >>> the >>> users GID, you need to give 'Domain Users' a gidNumber and this is what >>> will >>> be used. >>> >> That is not unfortunate, but the right thing to do (imho), >> because the domain users group (or whatever the primary AD >> level group is for the user) is what will appear in the access >> token when the user accesses a file server. >> > > Well, it is unfortunate if you expected it to be used, but yes it is the > right thing to do.No more comment. For today :p> > > >> We can think about making the use of the gidNumber attribute >> a configurable option (at least for the start in the domain >> member case with idmap_ad). But again, the right thing to do >> is use the SID-level primary group for primary gid of the unix >> user. >> > > You don't actually need the gidNumber, every users primary group is > 'Domain Users', you can change this, but it is slightly complicated and it > breaks things on windows.Seriously Rowland... First it is not complicated, changing one attribute value for one user or for all users in AD DB is not something complicated. A bit of LDIF, a bit of ldbmodify, nothing complex. But I agree changing pirmaryGroupID value would be dangerous. Dangerous because of my lack of knowledge about Windows world. To avoid side effect I would change that value and add a memberOf attribute to my users for they are still in "Domain Users". Doing that I could use Winbind to retrieve my AD users on UNIX systems, they would have something else than 100 as GID and they would be in "Domain Users". Until some users is not well created by some dude not paid enough to read carefully the doc or too tired to pay attention. Then to understand what is missing for this newly-created-user would be fun... I expect the fact in RFC2307 there is a dedicated attribute to host UNIX Primary Group ID (namely gidNumber) is to avoid all (and most certainly more) issues described earlier.> > > >> >> Same for shell, in AD loginShell is defined to /bin/bash for all my UNIX >>>> users and winbind gives /bin/false on DC. Perhaps that's what it >>>> expected >>>> by that tool but I still found that behaviour very confusing. >>>> Please note I know there is a "template shell" option in smb.conf. >>>> Unfortunately this option is, I think, to set all shell equal to that >>>> template, for all users. That's not what we need. If some user in AD >>>> wants >>>> to use CSH, this user must have a shell set to /bin/csh (or wherever it >>>> is >>>> installed), if some user has to be set to /bin/false, it must be. And >>>> for >>>> most of our users they would receive /bin/bash because it is what we >>>> configure in loginShell by default. >>>> >>> You can only use the 'template' lines on the DC, if you need to have >>> different home dirs or shells, use a member server. >>> >> As discussed elsewhere, we should add the feature to use the AD >> attributes (configurably). Someone has to find the time to >> implement the changes. >> > > I think this really needs to be given a bit more priority than it has in > the past, get this working and you get a good replacement for the now > defunct SBS server. > > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Nov-12 13:42 UTC
[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
On 12/11/15 13:22, mathias dufresne wrote:> > > 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com > <mailto:rowlandpenny241155 at gmail.com>>: > > On 11/11/15 06:52, Michael Adam wrote: > > On 2015-11-10 at 13:57 +0000, Rowland Penny wrote: > > On 10/11/15 13:42, mathias dufresne wrote: > > Thank you for this quick answer Louis. > > On DC: > > On DC I had to add one line to have winbind retrieving > uidNumber AD field > rather than having Winbind chosing some random UID for > my users. > This line is: > > idmap_ldb:use rfc2307 = yes > > as explained in > https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD > > That's a start. > > Unfortunately winbind is still giving my users GID > number set to 100, which > is "Domain Users" group, when my users have gidNumber > attribute set. > > unfortunately the contents of the 'gidNumber' attribute is > not used for the > users GID, you need to give 'Domain Users' a gidNumber and > this is what will > be used. > > That is not unfortunate, but the right thing to do (imho), > because the domain users group (or whatever the primary AD > level group is for the user) is what will appear in the access > token when the user accesses a file server. > > > Well, it is unfortunate if you expected it to be used, but yes it > is the right thing to do. > > > No more comment. For today :p > > > > > We can think about making the use of the gidNumber attribute > a configurable option (at least for the start in the domain > member case with idmap_ad). But again, the right thing to do > is use the SID-level primary group for primary gid of the unix > user. > > > You don't actually need the gidNumber, every users primary group > is 'Domain Users', you can change this, but it is slightly > complicated and it breaks things on windows. > > > Seriously Rowland... > > First it is not complicated, changing one attribute value for one user > or for all users in AD DB is not something complicated. A bit of LDIF, > a bit of ldbmodify, nothing complex.Go on, try it, change a users primary group id by just changing their 'primaryGroupID', you will find it Doesn't work, it is more involved than that.> But I agree changing pirmaryGroupID value would be dangerous. > Dangerous because of my lack of knowledge about Windows world.If you have windows users and change a users primary group id, it could break something because windows expects every user to be a member of Domain Users.> To avoid side effect I would change that value and add a memberOf > attribute to my users for they are still in "Domain Users". Doing that > I could use Winbind to retrieve my AD users on UNIX systems, they > would have something else than 100 as GID and they would be in "Domain > Users". Until some users is not well created by some dude not paid > enough to read carefully the doc or too tired to pay attention. Then > to understand what is missing for this newly-created-user would be fun...You could do this, but it could get terribly messy.> > I expect the fact in RFC2307 there is a dedicated attribute to host > UNIX Primary Group ID (namely gidNumber) is to avoid all (and most > certainly more) issues described earlier.Yes, but you do not need the gidNumber. Rowland
mathias dufresne
2015-Nov-12 13:54 UTC
[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
2015-11-12 14:42 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 12/11/15 13:22, mathias dufresne wrote: > >> >> >> 2015-11-11 9:11 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com >> <mailto:rowlandpenny241155 at gmail.com>>: >> >> >> On 11/11/15 06:52, Michael Adam wrote: >> >> On 2015-11-10 at 13:57 +0000, Rowland Penny wrote: >> >> On 10/11/15 13:42, mathias dufresne wrote: >> >> Thank you for this quick answer Louis. >> >> On DC: >> >> On DC I had to add one line to have winbind retrieving >> uidNumber AD field >> rather than having Winbind chosing some random UID for >> my users. >> This line is: >> >> idmap_ldb:use rfc2307 = yes >> >> as explained in >> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD >> >> That's a start. >> >> Unfortunately winbind is still giving my users GID >> number set to 100, which >> is "Domain Users" group, when my users have gidNumber >> attribute set. >> >> unfortunately the contents of the 'gidNumber' attribute is >> not used for the >> users GID, you need to give 'Domain Users' a gidNumber and >> this is what will >> be used. >> >> That is not unfortunate, but the right thing to do (imho), >> because the domain users group (or whatever the primary AD >> level group is for the user) is what will appear in the access >> token when the user accesses a file server. >> >> >> Well, it is unfortunate if you expected it to be used, but yes it >> is the right thing to do. >> >> >> No more comment. For today :p >> >> >> >> >> We can think about making the use of the gidNumber attribute >> a configurable option (at least for the start in the domain >> member case with idmap_ad). But again, the right thing to do >> is use the SID-level primary group for primary gid of the unix >> user. >> >> >> You don't actually need the gidNumber, every users primary group >> is 'Domain Users', you can change this, but it is slightly >> complicated and it breaks things on windows. >> >> >> Seriously Rowland... >> >> First it is not complicated, changing one attribute value for one user or >> for all users in AD DB is not something complicated. A bit of LDIF, a bit >> of ldbmodify, nothing complex. >> > > Go on, try it, change a users primary group id by just changing their > 'primaryGroupID', you will find it Doesn't work, it is more involved than > that.I won't, there are tools to do what I want in nices ways (nslcd, sssd at least). Winbind is really close to give us that possibility too and I'm almost sure this tool will also be improved one day to give us usage of all rfc2307 attributes.> > But I agree changing pirmaryGroupID value would be dangerous. Dangerous >> because of my lack of knowledge about Windows world. >> > > If you have windows users and change a users primary group id, it could > break something because windows expects every user to be a member of Domain > Users. > > To avoid side effect I would change that value and add a memberOf >> attribute to my users for they are still in "Domain Users". Doing that I >> could use Winbind to retrieve my AD users on UNIX systems, they would have >> something else than 100 as GID and they would be in "Domain Users". Until >> some users is not well created by some dude not paid enough to read >> carefully the doc or too tired to pay attention. Then to understand what is >> missing for this newly-created-user would be fun... >> > > You could do this, but it could get terribly messy.In fact I won't.> > > >> I expect the fact in RFC2307 there is a dedicated attribute to host UNIX >> Primary Group ID (namely gidNumber) is to avoid all (and most certainly >> more) issues described earlier. >> > > Yes, but you do not need the gidNumber.In fact, I do.> > > Rowland > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber