samba - Nov 2016 - Use of gidNumber attribute in user entry

A few questions about Unix groups in Samba.

(1) "samba-tool user add" has an option to set --gid-number. However,
I
can't see that this attribute is ever used. Can someone confirm if this 
is true?

 From digging around previous mailing list postings (*), I surmise the 
following:

- the user's Unix primary gid is taken from their primary *Windows* 
group (primaryGroupID, which points to the RID of a Windows group entry)

- the Windows primary group must have a gidNumber attribute, otherwise 
the user is not visible in Unix at all

- therefore the gidNumber attribute from the user entry appears to be 
ignored. Is that right?

(2) I can create a new Windows group using "samba-tool group add", but
if I set the --gid-number for the group it rejects the request unless I 
also pass in a --nis-domain:

 > ERROR: Both --gid-number and --nis-domain have to be set for a 
RFC2307-enabled group. Operation cancelled.

What value should I put for nis-domain? Just the workgroup name? AFAICS 
it ends up in the "msSFU30NisDomain" attribute but I don't know
what
this is used for, or why it's mandatory.

(3) It's traditional in Unix circles to have a primary group per user 
with the same name as the user, as this makes it feasible to use umask 
0002 and easy file sharing.  Does this approach have to be abandoned 
when using AD/Samba as the user directory?

(4)  Is there a way to flush the winbind cache easily? When I make a 
change to users/groups and they are not reflected on the client, I have 
resorted to
     rm /var/lib/samba/*.tdb; service winbind restart
but that seems rather gross.

Thanks,

Brian.


(*) There is a posting here: 
https://lists.samba.org/archive/samba/2010-October/159033.html

which points to a Samba page which no longer exists:

http://wiki.samba.org/index.php/Samba_&_Active_Directory

But apparently that page used to say:

"You must make sure that the primary group of the Unix users in the AD
is also Unix enabled (with a GID) (A user whose primary group is not
also a Unix group will not show up on Unix at all !) "

It also points to a thread from 2006:

https://lists.samba.org/archive/samba/2006-August/123711.html

See inline comments:

On Mon, 21 Nov 2016 14:47:13 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> A few questions about Unix groups in Samba.
> 
> (1) "samba-tool user add" has an option to set --gid-number.
However,
> I can't see that this attribute is ever used. Can someone confirm if
> this is true?
Not sure if it is ever really used, what I can say is, you do not need
it.
> 
>  From digging around previous mailing list postings (*), I surmise
> the following:
> 
> - the user's Unix primary gid is taken from their primary *Windows* 
> group (primaryGroupID, which points to the RID of a Windows group
> entry)
Correct
> 
> - the Windows primary group must have a gidNumber attribute,
> otherwise the user is not visible in Unix at all
Correct
> 
> - therefore the gidNumber attribute from the user entry appears to be 
> ignored. Is that right?
As I said, you do not need to add a gidNumber to a user, they are all
members of 'Domain Users', in fact, if this is changed, windows
doesn't
like it.
> 
> (2) I can create a new Windows group using "samba-tool group
add",
> but if I set the --gid-number for the group it rejects the request
> unless I also pass in a --nis-domain:
Correct
> 
>  > ERROR: Both --gid-number and --nis-domain have to be set for a 
> RFC2307-enabled group. Operation cancelled.
> 
> What value should I put for nis-domain? Just the workgroup name?
> AFAICS it ends up in the "msSFU30NisDomain" attribute but I
don't
> know what this is used for, or why it's mandatory.
It was added because this is what ADUC does when adding Unix attributes.
> 
> (3) It's traditional in Unix circles to have a primary group per user 
> with the same name as the user, as this makes it feasible to use
> umask 0002 and easy file sharing.  Does this approach have to be
> abandoned when using AD/Samba as the user directory?
Yes, you cannot have a group with the same name as a user, so no user
private groups.
> 
> (4)  Is there a way to flush the winbind cache easily? When I make a 
> change to users/groups and they are not reflected on the client, I
> have resorted to
>      rm /var/lib/samba/*.tdb; service winbind restart
> but that seems rather gross.
run 'net cache flush'
> 
> Thanks,
> 
> Brian.
> 
> 
> (*) There is a posting here: 
> https://lists.samba.org/archive/samba/2010-October/159033.html
> 
> which points to a Samba page which no longer exists:
> 
> http://wiki.samba.org/index.php/Samba_&_Active_Directory
> 
> But apparently that page used to say:
> 
> "You must make sure that the primary group of the Unix users in the AD
> is also Unix enabled (with a GID) (A user whose primary group is not
> also a Unix group will not show up on Unix at all !) "
> 
> It also points to a thread from 2006:
> 
> https://lists.samba.org/archive/samba/2006-August/123711.html
> 
Things change ;-)

See:

https://wiki.samba.org/index.php/Idmap_config_ad#winbind_nss_info_.3D_rfc2307

Rowland

2016-11-21 16:00 GMT+01:00 Rowland Penny via samba <samba at
lists.samba.org>:
>
> See inline comments:
>
> On Mon, 21 Nov 2016 14:47:13 +0000
> Brian Candler via samba <samba at lists.samba.org> wrote:
>
> > A few questions about Unix groups in Samba.
> >
> > (1) "samba-tool user add" has an option to set --gid-number.
However,
> > I can't see that this attribute is ever used. Can someone confirm
if
> > this is true?
>
> Not sure if it is ever really used, what I can say is, you do not need
> it.
>
It is used when you are using which use it. Just an example: SSSD is
configurable and you can tell that specific tool to use any LDAP attribute
to set LINUX/UNIX users' primary group.
This options should set in your user objects the field named gidNumber. I
believe RFC2307 tells that gidNumber is default field for UNIX primary
group.

Winbind does not use field gidNumber to fill UNIX primary group but use
primaryGroupID which is in fact Windows primary group (ie: domain users by
default). This difference is because Samba and Winbind are mainly meant to
server Windows, not UNIX/Linux (just run on them).

>
> >  From digging around previous mailing list postings (*), I surmise
> > the following:
> >
> > - the user's Unix primary gid is taken from their primary
*Windows*
> > group (primaryGroupID, which points to the RID of a Windows group
> > entry)
>
> Correct
>
> >
> > - the Windows primary group must have a gidNumber attribute,
> > otherwise the user is not visible in Unix at all
>
> Correct
>
> >
> > - therefore the gidNumber attribute from the user entry appears to be
> > ignored. Is that right?
>
> As I said, you do not need to add a gidNumber to a user, they are all
> members of 'Domain Users', in fact, if this is changed, windows
doesn't
> like it.
>
Ignored by Winbind[d].

>
> >
> > (2) I can create a new Windows group using "samba-tool group
add",
> > but if I set the --gid-number for the group it rejects the request
> > unless I also pass in a --nis-domain:
>
> Correct
>
>
> >  > ERROR: Both --gid-number and --nis-domain have to be set for a
> > RFC2307-enabled group. Operation cancelled.
> >
> > What value should I put for nis-domain? Just the workgroup name?
> > AFAICS it ends up in the "msSFU30NisDomain" attribute but I
don't
> > know what this is used for, or why it's mandatory.
>
> It was added because this is what ADUC does when adding Unix attributes.
>
Microsoft AD emulates NIS+ (ex Yellow Pages). NIS are organised in domains.
For that they added some update of their LDAP schema (which should be
called msSFU3x).
msSFU30 + NIS + Domain => msSFU30NisDomain :)

That's the UNIX way to named the domain. These NIS domain are to get AD
user on UNIX (and Linux) platforms.

>
> >
> > (3) It's traditional in Unix circles to have a primary group per
user
> > with the same name as the user, as this makes it feasible to use
> > umask 0002 and easy file sharing.  Does this approach have to be
> > abandoned when using AD/Samba as the user directory?
>
> Yes, you cannot have a group with the same name as a user, so no user
> private groups.
>
sAMAccountName must be unique in AD and users, groups and computer have all
a sAMAccountName. This field is limited to 20 characters, not in LDAP but
in Windows, when Windows system has to use that field, if it is more than
20 characters Windows gives an error message.

>
> >
> > (4)  Is there a way to flush the winbind cache easily? When I make a
> > change to users/groups and they are not reflected on the client, I
> > have resorted to
> >      rm /var/lib/samba/*.tdb; service winbind restart
> > but that seems rather gross.
>
> run 'net cache flush'
>
> >
> > Thanks,
> >
> > Brian.
> >
> >
> > (*) There is a posting here:
> > https://lists.samba.org/archive/samba/2010-October/159033.html
> >
> > which points to a Samba page which no longer exists:
> >
> > http://wiki.samba.org/index.php/Samba_&_Active_Directory
> >
> > But apparently that page used to say:
> >
> > "You must make sure that the primary group of the Unix users in
the AD
> > is also Unix enabled (with a GID) (A user whose primary group is not
> > also a Unix group will not show up on Unix at all !) "
> >
> > It also points to a thread from 2006:
> >
> > https://lists.samba.org/archive/samba/2006-August/123711.html
> >
>
> Things change ;-)
>
> See:
>
> https://wiki.samba.org/index.php/Idmap_config_ad#winbind_
> nss_info_.3D_rfc2307
>
> Rowland
>
> --
>