samba - Apr 2016 - chgrp "Domain Admins" on folder return invalid group "Domain Admins"

Thank you Rowland,

I do not change my existing configuration as far i have already indicate
winbind value on both passwd and group lines in nsswitch.conf.

But i execute the net cahe flush command and then try getent command by
providing the user name and it works.

It provide outpout for a demo acount that it is only creat in AD and has
unix attribute assigned :
#getent passwd demo
demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false

So now, i should be able to define file or folder right from Linux OS with
AD users.

I think that we can consider this subject Solved with your permission.

Many thanks again

On Tue, Apr 5, 2016 at 2:52 PM, Rowland penny <rpenny at samba.org> wrote:
> On 05/04/16 14:32, Jules Houantonon wrote:
>
>> Thank you Rowland for your mail.
>>
>> My aim is to create a fileserver with samba4 and with acl supported.
>> Users most logon through their windows that are in domain to access
their
>> shares.
>>
>> Samba how to and your explanations open my eyes on the interaction
>> between samba users and group with the Linux OS.
>>
>> From ADUC, I assign an Unix Attribute to a user accout, and
automatically
>> it is given 10000 as its UID, getent command still not display it.
>>
>
> The next one should get 10001
>
>
>> So in my plan, users should only exist in active directory. Does that
>> mean that getent can still display user or group information that will
only
>> exist in AD ?
>>
>>
> getent will display users known to the underlying OS, this is done by
> specifying what methods to use in /etc/nsswitch.conf. For users, there is a
> line that starts 'passwd', this normally contains 'compat '
or 'files' and
> will mean 'getent passwd auser' will return the users info found in
the
> file /etc/passwd. If you want to user a different method to use to get a
> users info, you would add it after 'compat ' or 'files'
i.e. to use winbind
> 'passwd compat winbind'. This would mean that when you run
'getent passwd
> auser' , the user would be found by first searching in /etc/passwd
(this is
> why you cannot have users in /etc/passwd & AD) and then by asking
winbind.
> On a DC, winbind would assign an xidNumber and then store it in idmap.ldb
> *or* you can give each user a 'uidNumber' and then this will be
used
> instead, only problem is that the old xidNumber will take precedence for a
> time, but you can short circuit this by running:
>
> net cache flush
>
>
> Sorry if i am missing something.
>>
>> Thank you
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: juleshoueto at gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en

Please, strangely

In AD the user demo have /bin/sh as its shell and with getent we have
 /bin/false.

Is it normal  ?





On Tue, Apr 5, 2016 at 3:22 PM, Jules Houantonon <juleshoueto at
gmail.com>
wrote:
> Thank you Rowland,
>
> I do not change my existing configuration as far i have already indicate
> winbind value on both passwd and group lines in nsswitch.conf.
>
> But i execute the net cahe flush command and then try getent command by
> providing the user name and it works.
>
> It provide outpout for a demo acount that it is only creat in AD and has
> unix attribute assigned :
> #getent passwd demo
> demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
>
> So now, i should be able to define file or folder right from Linux OS with
> AD users.
>
> I think that we can consider this subject Solved with your permission.
>
> Many thanks again
>
> On Tue, Apr 5, 2016 at 2:52 PM, Rowland penny <rpenny at samba.org>
wrote:
>
>> On 05/04/16 14:32, Jules Houantonon wrote:
>>
>>> Thank you Rowland for your mail.
>>>
>>> My aim is to create a fileserver with samba4 and with acl
supported.
>>> Users most logon through their windows that are in domain to access
their
>>> shares.
>>>
>>> Samba how to and your explanations open my eyes on the interaction
>>> between samba users and group with the Linux OS.
>>>
>>> From ADUC, I assign an Unix Attribute to a user accout, and
>>> automatically it is given 10000 as its UID, getent command still
not
>>> display it.
>>>
>>
>> The next one should get 10001
>>
>>
>>> So in my plan, users should only exist in active directory. Does
that
>>> mean that getent can still display user or group information that
will only
>>> exist in AD ?
>>>
>>>
>> getent will display users known to the underlying OS, this is done by
>> specifying what methods to use in /etc/nsswitch.conf. For users, there
is a
>> line that starts 'passwd', this normally contains 'compat
' or 'files' and
>> will mean 'getent passwd auser' will return the users info
found in the
>> file /etc/passwd. If you want to user a different method to use to get
a
>> users info, you would add it after 'compat ' or 'files'
i.e. to use winbind
>> 'passwd compat winbind'. This would mean that when you run
'getent passwd
>> auser' , the user would be found by first searching in /etc/passwd
(this is
>> why you cannot have users in /etc/passwd & AD) and then by asking
winbind.
>> On a DC, winbind would assign an xidNumber and then store it in
idmap.ldb
>> *or* you can give each user a 'uidNumber' and then this will be
used
>> instead, only problem is that the old xidNumber will take precedence
for a
>> time, but you can short circuit this by running:
>>
>> net cache flush
>>
>>
>> Sorry if i am missing something.
>>>
>>> Thank you
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
>
> --
> Jules HOUANTONON
> *Phone* : (00229) 97578914
> *Email *: juleshoueto at gmail.com
> *Skype* : houantonon
> *linkedin* : www.linkedin.com/in/jhouantonon/en
>


-- 
Jules HOUANTONON
*Phone* : (00229) 97578914
*Email *: juleshoueto at gmail.com
*Skype* : houantonon
*linkedin* : www.linkedin.com/in/jhouantonon/en

On 05/04/16 15:22, Jules Houantonon wrote:
> Thank you Rowland,
>
> I do not change my existing configuration as far i have already 
> indicate winbind value on both passwd and group lines in nsswitch.conf.
>
> But i execute the net cahe flush command and then try getent command 
> by providing the user name and it works.
>
> It provide outpout for a demo acount that it is only creat in AD and 
> has unix attribute assigned :
> #getent passwd demo
> demo:*:10001:10001:demo demo:/home/DEMO/demo:/bin/false
>
> So now, i should be able to define file or folder right from Linux OS 
> with AD users.
>
> I think that we can consider this subject Solved with your permission.
There is just one last thing you may want to know, as you can see, every 
users home path is set to '/home/DEMO/' and their shell is set to 
'/bin/false'. You can change these if you wish, but only on a domain 
basis. You probably don't need to change either if your users will never 
actually log into the DC, but if they do, these can be changed by adding 
'template homedir = /what/ever/path/you/want' & 'template shell
= /bin/bash'

Rowland
>
> Many thanks again
>
> On Tue, Apr 5, 2016 at 2:52 PM, Rowland penny <rpenny at samba.org 
> <mailto:rpenny at samba.org>> wrote:
>
>     On 05/04/16 14:32, Jules Houantonon wrote:
>
>         Thank you Rowland for your mail.
>
>         My aim is to create a fileserver with samba4 and with acl
>         supported. Users most logon through their windows that are in
>         domain to access their shares.
>
>         Samba how to and your explanations open my eyes on the
>         interaction between samba users and group with the Linux OS.
>
>         From ADUC, I assign an Unix Attribute to a user accout, and
>         automatically it is given 10000 as its UID, getent command
>         still not display it.
>
>
>     The next one should get 10001
>
>
>         So in my plan, users should only exist in active directory.
>         Does that mean that getent can still display user or group
>         information that will only exist in AD ?
>
>
>     getent will display users known to the underlying OS, this is done
>     by specifying what methods to use in /etc/nsswitch.conf. For
>     users, there is a line that starts 'passwd', this normally
>     contains 'compat ' or 'files' and will mean 'getent
passwd auser'
>     will return the users info found in the file /etc/passwd. If you
>     want to user a different method to use to get a users info, you
>     would add it after 'compat ' or 'files' i.e. to use
winbind
>     'passwd compat winbind'. This would mean that when you run
'getent
>     passwd auser' , the user would be found by first searching in
>     /etc/passwd (this is why you cannot have users in /etc/passwd &
>     AD) and then by asking winbind. On a DC, winbind would assign an
>     xidNumber and then store it in idmap.ldb *or* you can give each
>     user a 'uidNumber' and then this will be used instead, only
>     problem is that the old xidNumber will take precedence for a time,
>     but you can short circuit this by running:
>
>     net cache flush
>
>
>         Sorry if i am missing something.
>
>         Thank you
>
>
>
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba
>
>
>
>
> -- 
> Jules HOUANTONON
> /Phone/: (00229) 97578914
> /Email /: juleshoueto at gmail.com <mailto:juleshoueto at gmail.com>
> /Skype/ : houantonon
> /linkedin/ : www.linkedin.com/in/jhouantonon/en 
> <http://www.linkedin.com/in/jhouantonon/en>

On 05/04/16 15:26, Jules Houantonon wrote:
> Please, strangely
>
> In AD the user demo have /bin/sh as its shell and with getent we have 
>  /bin/false.
>
> Is it normal  ?
>
>
Yes, it is normal on a DC, the only things obtained from AD are 
uidNumber & gidNumber attributes.

Rowland