On Thu, 8 Dec 2016 14:44:16 +0100 Oliver Heinz via samba <samba at lists.samba.org> wrote:> > > Am 08.12.2016 um 14:31 schrieb Oliver Heinz: > > > > > > Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba: > >> On Thu, 8 Dec 2016 12:52:53 +0100 > >> Oliver Heinz via samba <samba at lists.samba.org> wrote: > >> > >>> I'm trying to get Samba 4 AD to work with rfc2307 extensions. > >>> > >>> wbinfo -i fails > >>> > >>> root at m1:~# wbinfo -i SAMDOM\\demo01 > >>> > >>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > >>> > >>> > >>> winbindd.log it here: http://pastebin.com/X0rEaLt2 > >>> > >>> Pretty much everything else seems to work: > >>> > >>> root at m1:~# wbinfo --ping-dc > >>> > >>> checking the NETLOGON for domain[SAMDOM] dc connection to > >>> "dc1.samdom.example.com" succeeded > >>> > >>> root at m1:~# wbinfo --uid-to-sid=10000 > >>> > >>> S-1-5-21-2104162034-3764151921-3268498227-1108 > >>> > >>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 > >>> > >>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) > >>> > >>> > >>> What did I miss? > >>> > >>> > >>> My setup: > >>> > >>> dc1.example.com as per > >>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > >>> > >>> m1.example.com as per > >>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > >>> > >>> Both with SerNet 4.5.2-9 Packages > >>> > >>> > >>> root at dc1:~# cat /etc/samba/smb.conf > >>> > >>> # Global parameters > >>> > >>> [global] > >>> > >>> netbios name = DC1 > >>> > >>> realm = SAMDOM.EXAMPLE.COM > >>> > >>> workgroup = SAMDOM > >>> > >>> dns forwarder = 192.168.8.10 > >>> > >>> server role = active directory domain controller > >>> > >>> idmap_ldb:use rfc2307 = yes > >>> > >>> [netlogon] > >>> > >>> path = /var/lib/samba/sysvol/samdom.example.com/scripts > >>> > >>> read only = No > >>> > >>> [sysvol] > >>> > >>> path = /var/lib/samba/sysvol > >>> > >>> read only = No > >>> > >>> root at m1:~# cat /etc/samba/smb.conf > >>> > >>> [global] > >>> > >>> security = ADS > >>> > >>> workgroup = SAMDOM > >>> > >>> realm = SAMDOM.EXAMPLE.COM > >>> > >>> log file = /var/log/samba/%m.log > >>> > >>> log level = 1 winbind:10 > >>> > >>> # idmap config used for your domain. > >>> > >>> # Click on the following links for more information > >>> > >>> # on the available winbind idmap backends, > >>> > >>> # Choose the one that fits your requirements > >>> > >>> # then add the corresponding configuration. > >>> > >>> idmap config * : backend = tdb > >>> > >>> idmap config * : range = 2000-9999 > >>> > >>> # idmap config for the SAMDOM domain > >>> > >>> idmap config SAMDOM:backend = ad > >>> > >>> idmap config SAMDOM:schema_mode = rfc2307 > >>> > >>> idmap config SAMDOM:range = 10000-999999 > >>> > >>> winbind nss info = rfc2307 > >>> > >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! > >>> samaccountname=demo01 > >>> > >>> # record 1 > >>> > >>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> objectClass: top > >>> > >>> objectClass: person > >>> > >>> objectClass: organizationalPerson > >>> > >>> objectClass: user > >>> > >>> cn: demo01 > >>> > >>> instanceType: 4 > >>> > >>> whenCreated: 20161207153641.0Z > >>> > >>> uSNCreated: 3797 > >>> > >>> name: demo01 > >>> > >>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d > >>> > >>> badPwdCount: 0 > >>> > >>> codePage: 0 > >>> > >>> countryCode: 0 > >>> > >>> badPasswordTime: 0 > >>> > >>> lastLogoff: 0 > >>> > >>> lastLogon: 0 > >>> > >>> primaryGroupID: 513 > >>> > >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 > >>> > >>> accountExpires: 9223372036854775807 > >>> > >>> logonCount: 0 > >>> > >>> sAMAccountName: demo01 > >>> > >>> sAMAccountType: 805306368 > >>> > >>> userPrincipalName: demo01 at samdom.example.com > >>> > >>> objectCategory: > >>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > >>> > >>> om > >>> > >>> uidNumber: 10000 > >>> > >>> loginShell: /bin/bash > >>> > >>> unixHomeDirectory: /home/demo01 > >>> > >>> msSFU30NisDomain: samdom > >>> > >>> msSFU30Name: demo01 > >>> > >>> unixUserPassword: ABCD!efgh12345$67890 > >>> > >>> pwdLastSet: 131255986018743120 > >>> > >>> userAccountControl: 512 > >>> > >>> gidNumber: 10000 > >>> > >>> uid: demo01 > >>> > >>> whenChanged: 20161208113015.0Z > >>> > >>> uSNChanged: 3832 > >>> > >>> distinguishedName: > >>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # returned 4 records > >>> > >>> # 1 entries > >>> > >>> # 3 referrals > >>> > >>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! > >>> cn=demogroup > >>> > >>> # record 1 > >>> > >>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> objectClass: top > >>> > >>> objectClass: group > >>> > >>> cn: demogroup > >>> > >>> instanceType: 4 > >>> > >>> whenCreated: 20161207161213.0Z > >>> > >>> uSNCreated: 3815 > >>> > >>> name: demogroup > >>> > >>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae > >>> > >>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 > >>> > >>> sAMAccountName: demogroup > >>> > >>> sAMAccountType: 268435456 > >>> > >>> groupType: -2147483646 > >>> > >>> objectCategory: > >>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co > >>> > >>> m > >>> > >>> msSFU30NisDomain: SAMDOM > >>> > >>> gidNumber: 10000 > >>> > >>> whenChanged: 20161208104335.0Z > >>> > >>> uSNChanged: 3824 > >>> > >>> distinguishedName: > >>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # Referral > >>> > >>> ref: > >>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >>> > >>> # returned 4 records > >>> > >>> # 1 entries > >>> > >>> # 3 referrals > >>> > >>> > >>> TIA, > >>> Oliver > >>> > >>> > >>> > >> > >> Have you given 'Domain Users' a gidNumber attribute containing a > >> number inside '10000-999999' ? > >> > >> Rowland > >> > > > > > > I did not touch the builtin domain groups. I thought it was > > sufficient if the the primary posix group of that user (demogroup) > > was within the range. demogroup has a gidNumber of 10000. > > Do I need still to modify the domain users in that case? Any other > > domain groups that I need to modify? > > > > Oliver > > So I gave Domain Users 99999 and voilà: > > root at m1:~# wbinfo -i SAMDOM\\demo01 > SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash > > Seems samba always uses the primaryGroupID which for demo01 is set to > 'Domain Users'. Im just wondering a bit then why there is a gidNumber > as an user attribute, as it is not used in the posix context. > > Thanks for your help, > Oliver > > >If a group doesn't have a gidNumber it is invisible to Unix. Rowland
Am 08.12.2016 um 14:48 schrieb Rowland Penny via samba:> On Thu, 8 Dec 2016 14:44:16 +0100 > Oliver Heinz via samba <samba at lists.samba.org> wrote: > >> >> Am 08.12.2016 um 14:31 schrieb Oliver Heinz: >>> >>> Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba: >>>> On Thu, 8 Dec 2016 12:52:53 +0100 >>>> Oliver Heinz via samba <samba at lists.samba.org> wrote: >>>> >>>>> I'm trying to get Samba 4 AD to work with rfc2307 extensions. >>>>> >>>>> wbinfo -i fails >>>>> >>>>> root at m1:~# wbinfo -i SAMDOM\\demo01 >>>>> >>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND >>>>> >>>>> >>>>> winbindd.log it here: http://pastebin.com/X0rEaLt2 >>>>> >>>>> Pretty much everything else seems to work: >>>>> >>>>> root at m1:~# wbinfo --ping-dc >>>>> >>>>> checking the NETLOGON for domain[SAMDOM] dc connection to >>>>> "dc1.samdom.example.com" succeeded >>>>> >>>>> root at m1:~# wbinfo --uid-to-sid=10000 >>>>> >>>>> S-1-5-21-2104162034-3764151921-3268498227-1108 >>>>> >>>>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 >>>>> >>>>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) >>>>> >>>>> >>>>> What did I miss? >>>>> >>>>> >>>>> My setup: >>>>> >>>>> dc1.example.com as per >>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller >>>>> >>>>> m1.example.com as per >>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member >>>>> >>>>> Both with SerNet 4.5.2-9 Packages >>>>> >>>>> >>>>> root at dc1:~# cat /etc/samba/smb.conf >>>>> >>>>> # Global parameters >>>>> >>>>> [global] >>>>> >>>>> netbios name = DC1 >>>>> >>>>> realm = SAMDOM.EXAMPLE.COM >>>>> >>>>> workgroup = SAMDOM >>>>> >>>>> dns forwarder = 192.168.8.10 >>>>> >>>>> server role = active directory domain controller >>>>> >>>>> idmap_ldb:use rfc2307 = yes >>>>> >>>>> [netlogon] >>>>> >>>>> path = /var/lib/samba/sysvol/samdom.example.com/scripts >>>>> >>>>> read only = No >>>>> >>>>> [sysvol] >>>>> >>>>> path = /var/lib/samba/sysvol >>>>> >>>>> read only = No >>>>> >>>>> root at m1:~# cat /etc/samba/smb.conf >>>>> >>>>> [global] >>>>> >>>>> security = ADS >>>>> >>>>> workgroup = SAMDOM >>>>> >>>>> realm = SAMDOM.EXAMPLE.COM >>>>> >>>>> log file = /var/log/samba/%m.log >>>>> >>>>> log level = 1 winbind:10 >>>>> >>>>> # idmap config used for your domain. >>>>> >>>>> # Click on the following links for more information >>>>> >>>>> # on the available winbind idmap backends, >>>>> >>>>> # Choose the one that fits your requirements >>>>> >>>>> # then add the corresponding configuration. >>>>> >>>>> idmap config * : backend = tdb >>>>> >>>>> idmap config * : range = 2000-9999 >>>>> >>>>> # idmap config for the SAMDOM domain >>>>> >>>>> idmap config SAMDOM:backend = ad >>>>> >>>>> idmap config SAMDOM:schema_mode = rfc2307 >>>>> >>>>> idmap config SAMDOM:range = 10000-999999 >>>>> >>>>> winbind nss info = rfc2307 >>>>> >>>>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! >>>>> samaccountname=demo01 >>>>> >>>>> # record 1 >>>>> >>>>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com >>>>> >>>>> objectClass: top >>>>> >>>>> objectClass: person >>>>> >>>>> objectClass: organizationalPerson >>>>> >>>>> objectClass: user >>>>> >>>>> cn: demo01 >>>>> >>>>> instanceType: 4 >>>>> >>>>> whenCreated: 20161207153641.0Z >>>>> >>>>> uSNCreated: 3797 >>>>> >>>>> name: demo01 >>>>> >>>>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d >>>>> >>>>> badPwdCount: 0 >>>>> >>>>> codePage: 0 >>>>> >>>>> countryCode: 0 >>>>> >>>>> badPasswordTime: 0 >>>>> >>>>> lastLogoff: 0 >>>>> >>>>> lastLogon: 0 >>>>> >>>>> primaryGroupID: 513 >>>>> >>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 >>>>> >>>>> accountExpires: 9223372036854775807 >>>>> >>>>> logonCount: 0 >>>>> >>>>> sAMAccountName: demo01 >>>>> >>>>> sAMAccountType: 805306368 >>>>> >>>>> userPrincipalName: demo01 at samdom.example.com >>>>> >>>>> objectCategory: >>>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c >>>>> >>>>> om >>>>> >>>>> uidNumber: 10000 >>>>> >>>>> loginShell: /bin/bash >>>>> >>>>> unixHomeDirectory: /home/demo01 >>>>> >>>>> msSFU30NisDomain: samdom >>>>> >>>>> msSFU30Name: demo01 >>>>> >>>>> unixUserPassword: ABCD!efgh12345$67890 >>>>> >>>>> pwdLastSet: 131255986018743120 >>>>> >>>>> userAccountControl: 512 >>>>> >>>>> gidNumber: 10000 >>>>> >>>>> uid: demo01 >>>>> >>>>> whenChanged: 20161208113015.0Z >>>>> >>>>> uSNChanged: 3832 >>>>> >>>>> distinguishedName: >>>>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com >>>>> >>>>> # Referral >>>>> >>>>> ref: >>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >>>>> >>>>> # Referral >>>>> >>>>> ref: >>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>>> >>>>> # Referral >>>>> >>>>> ref: >>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>>> >>>>> # returned 4 records >>>>> >>>>> # 1 entries >>>>> >>>>> # 3 referrals >>>>> >>>>> root at dc1:~# ldbsearch -H ldap://localhost -Uadministrator%Test234! >>>>> cn=demogroup >>>>> >>>>> # record 1 >>>>> >>>>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com >>>>> >>>>> objectClass: top >>>>> >>>>> objectClass: group >>>>> >>>>> cn: demogroup >>>>> >>>>> instanceType: 4 >>>>> >>>>> whenCreated: 20161207161213.0Z >>>>> >>>>> uSNCreated: 3815 >>>>> >>>>> name: demogroup >>>>> >>>>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae >>>>> >>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 >>>>> >>>>> sAMAccountName: demogroup >>>>> >>>>> sAMAccountType: 268435456 >>>>> >>>>> groupType: -2147483646 >>>>> >>>>> objectCategory: >>>>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co >>>>> >>>>> m >>>>> >>>>> msSFU30NisDomain: SAMDOM >>>>> >>>>> gidNumber: 10000 >>>>> >>>>> whenChanged: 20161208104335.0Z >>>>> >>>>> uSNChanged: 3824 >>>>> >>>>> distinguishedName: >>>>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com >>>>> >>>>> # Referral >>>>> >>>>> ref: >>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >>>>> >>>>> # Referral >>>>> >>>>> ref: >>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >>>>> >>>>> # Referral >>>>> >>>>> ref: >>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >>>>> >>>>> # returned 4 records >>>>> >>>>> # 1 entries >>>>> >>>>> # 3 referrals >>>>> >>>>> >>>>> TIA, >>>>> Oliver >>>>> >>>>> >>>>> >>>> Have you given 'Domain Users' a gidNumber attribute containing a >>>> number inside '10000-999999' ? >>>> >>>> Rowland >>>> >>> >>> I did not touch the builtin domain groups. I thought it was >>> sufficient if the the primary posix group of that user (demogroup) >>> was within the range. demogroup has a gidNumber of 10000. >>> Do I need still to modify the domain users in that case? Any other >>> domain groups that I need to modify? >>> >>> Oliver >> So I gave Domain Users 99999 and voilà: >> >> root at m1:~# wbinfo -i SAMDOM\\demo01 >> SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash >> >> Seems samba always uses the primaryGroupID which for demo01 is set to >> 'Domain Users'. Im just wondering a bit then why there is a gidNumber >> as an user attribute, as it is not used in the posix context. >> >> Thanks for your help, >> Oliver >> >> >> > If a group doesn't have a gidNumber it is invisible to Unix. > > Rowland >But what is the user's gidNumber attribute good for? Seems it is never used - at least with winbind. Oliver
On Thu, 8 Dec 2016 17:04:52 +0100 Oliver Heinz via samba <samba at lists.samba.org> wrote:> > > Am 08.12.2016 um 14:48 schrieb Rowland Penny via samba: > > On Thu, 8 Dec 2016 14:44:16 +0100 > > Oliver Heinz via samba <samba at lists.samba.org> wrote: > > > >> > >> Am 08.12.2016 um 14:31 schrieb Oliver Heinz: > >>> > >>> Am 08.12.2016 um 13:55 schrieb Rowland Penny via samba: > >>>> On Thu, 8 Dec 2016 12:52:53 +0100 > >>>> Oliver Heinz via samba <samba at lists.samba.org> wrote: > >>>> > >>>>> I'm trying to get Samba 4 AD to work with rfc2307 extensions. > >>>>> > >>>>> wbinfo -i fails > >>>>> > >>>>> root at m1:~# wbinfo -i SAMDOM\\demo01 > >>>>> > >>>>> failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND > >>>>> > >>>>> > >>>>> winbindd.log it here: http://pastebin.com/X0rEaLt2 > >>>>> > >>>>> Pretty much everything else seems to work: > >>>>> > >>>>> root at m1:~# wbinfo --ping-dc > >>>>> > >>>>> checking the NETLOGON for domain[SAMDOM] dc connection to > >>>>> "dc1.samdom.example.com" succeeded > >>>>> > >>>>> root at m1:~# wbinfo --uid-to-sid=10000 > >>>>> > >>>>> S-1-5-21-2104162034-3764151921-3268498227-1108 > >>>>> > >>>>> root at m1:~# wbinfo --name-to-sid SAMDOM\\demo01 > >>>>> > >>>>> S-1-5-21-2104162034-3764151921-3268498227-1108 SID_USER (1) > >>>>> > >>>>> > >>>>> What did I miss? > >>>>> > >>>>> > >>>>> My setup: > >>>>> > >>>>> dc1.example.com as per > >>>>> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller > >>>>> > >>>>> m1.example.com as per > >>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member > >>>>> > >>>>> Both with SerNet 4.5.2-9 Packages > >>>>> > >>>>> > >>>>> root at dc1:~# cat /etc/samba/smb.conf > >>>>> > >>>>> # Global parameters > >>>>> > >>>>> [global] > >>>>> > >>>>> netbios name = DC1 > >>>>> > >>>>> realm = SAMDOM.EXAMPLE.COM > >>>>> > >>>>> workgroup = SAMDOM > >>>>> > >>>>> dns forwarder = 192.168.8.10 > >>>>> > >>>>> server role = active directory domain controller > >>>>> > >>>>> idmap_ldb:use rfc2307 = yes > >>>>> > >>>>> [netlogon] > >>>>> > >>>>> path > >>>>> = /var/lib/samba/sysvol/samdom.example.com/scripts > >>>>> > >>>>> read only = No > >>>>> > >>>>> [sysvol] > >>>>> > >>>>> path = /var/lib/samba/sysvol > >>>>> > >>>>> read only = No > >>>>> > >>>>> root at m1:~# cat /etc/samba/smb.conf > >>>>> > >>>>> [global] > >>>>> > >>>>> security = ADS > >>>>> > >>>>> workgroup = SAMDOM > >>>>> > >>>>> realm = SAMDOM.EXAMPLE.COM > >>>>> > >>>>> log file = /var/log/samba/%m.log > >>>>> > >>>>> log level = 1 winbind:10 > >>>>> > >>>>> # idmap config used for your domain. > >>>>> > >>>>> # Click on the following links for more information > >>>>> > >>>>> # on the available winbind idmap backends, > >>>>> > >>>>> # Choose the one that fits your requirements > >>>>> > >>>>> # then add the corresponding configuration. > >>>>> > >>>>> idmap config * : backend = tdb > >>>>> > >>>>> idmap config * : range = 2000-9999 > >>>>> > >>>>> # idmap config for the SAMDOM domain > >>>>> > >>>>> idmap config SAMDOM:backend = ad > >>>>> > >>>>> idmap config SAMDOM:schema_mode = rfc2307 > >>>>> > >>>>> idmap config SAMDOM:range = 10000-999999 > >>>>> > >>>>> winbind nss info = rfc2307 > >>>>> > >>>>> root at dc1:~# ldbsearch -H ldap://localhost > >>>>> -Uadministrator%Test234! samaccountname=demo01 > >>>>> > >>>>> # record 1 > >>>>> > >>>>> dn: CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >>>>> > >>>>> objectClass: top > >>>>> > >>>>> objectClass: person > >>>>> > >>>>> objectClass: organizationalPerson > >>>>> > >>>>> objectClass: user > >>>>> > >>>>> cn: demo01 > >>>>> > >>>>> instanceType: 4 > >>>>> > >>>>> whenCreated: 20161207153641.0Z > >>>>> > >>>>> uSNCreated: 3797 > >>>>> > >>>>> name: demo01 > >>>>> > >>>>> objectGUID: f636d153-a965-4251-a5ae-64ac05c89e5d > >>>>> > >>>>> badPwdCount: 0 > >>>>> > >>>>> codePage: 0 > >>>>> > >>>>> countryCode: 0 > >>>>> > >>>>> badPasswordTime: 0 > >>>>> > >>>>> lastLogoff: 0 > >>>>> > >>>>> lastLogon: 0 > >>>>> > >>>>> primaryGroupID: 513 > >>>>> > >>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1108 > >>>>> > >>>>> accountExpires: 9223372036854775807 > >>>>> > >>>>> logonCount: 0 > >>>>> > >>>>> sAMAccountName: demo01 > >>>>> > >>>>> sAMAccountType: 805306368 > >>>>> > >>>>> userPrincipalName: demo01 at samdom.example.com > >>>>> > >>>>> objectCategory: > >>>>> CN=Person,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=c > >>>>> > >>>>> om > >>>>> > >>>>> uidNumber: 10000 > >>>>> > >>>>> loginShell: /bin/bash > >>>>> > >>>>> unixHomeDirectory: /home/demo01 > >>>>> > >>>>> msSFU30NisDomain: samdom > >>>>> > >>>>> msSFU30Name: demo01 > >>>>> > >>>>> unixUserPassword: ABCD!efgh12345$67890 > >>>>> > >>>>> pwdLastSet: 131255986018743120 > >>>>> > >>>>> userAccountControl: 512 > >>>>> > >>>>> gidNumber: 10000 > >>>>> > >>>>> uid: demo01 > >>>>> > >>>>> whenChanged: 20161208113015.0Z > >>>>> > >>>>> uSNChanged: 3832 > >>>>> > >>>>> distinguishedName: > >>>>> CN=demo01,OU=example,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # Referral > >>>>> > >>>>> ref: > >>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # Referral > >>>>> > >>>>> ref: > >>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # Referral > >>>>> > >>>>> ref: > >>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # returned 4 records > >>>>> > >>>>> # 1 entries > >>>>> > >>>>> # 3 referrals > >>>>> > >>>>> root at dc1:~# ldbsearch -H ldap://localhost > >>>>> -Uadministrator%Test234! cn=demogroup > >>>>> > >>>>> # record 1 > >>>>> > >>>>> dn: CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >>>>> > >>>>> objectClass: top > >>>>> > >>>>> objectClass: group > >>>>> > >>>>> cn: demogroup > >>>>> > >>>>> instanceType: 4 > >>>>> > >>>>> whenCreated: 20161207161213.0Z > >>>>> > >>>>> uSNCreated: 3815 > >>>>> > >>>>> name: demogroup > >>>>> > >>>>> objectGUID: 30ea6c61-63fc-44f7-87d9-0311abbac9ae > >>>>> > >>>>> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1110 > >>>>> > >>>>> sAMAccountName: demogroup > >>>>> > >>>>> sAMAccountType: 268435456 > >>>>> > >>>>> groupType: -2147483646 > >>>>> > >>>>> objectCategory: > >>>>> CN=Group,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=co > >>>>> > >>>>> m > >>>>> > >>>>> msSFU30NisDomain: SAMDOM > >>>>> > >>>>> gidNumber: 10000 > >>>>> > >>>>> whenChanged: 20161208104335.0Z > >>>>> > >>>>> uSNChanged: 3824 > >>>>> > >>>>> distinguishedName: > >>>>> CN=demogroup,OU=example,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # Referral > >>>>> > >>>>> ref: > >>>>> ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # Referral > >>>>> > >>>>> ref: > >>>>> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # Referral > >>>>> > >>>>> ref: > >>>>> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > >>>>> > >>>>> # returned 4 records > >>>>> > >>>>> # 1 entries > >>>>> > >>>>> # 3 referrals > >>>>> > >>>>> > >>>>> TIA, > >>>>> Oliver > >>>>> > >>>>> > >>>>> > >>>> Have you given 'Domain Users' a gidNumber attribute containing a > >>>> number inside '10000-999999' ? > >>>> > >>>> Rowland > >>>> > >>> > >>> I did not touch the builtin domain groups. I thought it was > >>> sufficient if the the primary posix group of that user (demogroup) > >>> was within the range. demogroup has a gidNumber of 10000. > >>> Do I need still to modify the domain users in that case? Any other > >>> domain groups that I need to modify? > >>> > >>> Oliver > >> So I gave Domain Users 99999 and voilà: > >> > >> root at m1:~# wbinfo -i SAMDOM\\demo01 > >> SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash > >> > >> Seems samba always uses the primaryGroupID which for demo01 is set > >> to 'Domain Users'. Im just wondering a bit then why there is a > >> gidNumber as an user attribute, as it is not used in the posix > >> context. > >> > >> Thanks for your help, > >> Oliver > >> > >> > >> > > If a group doesn't have a gidNumber it is invisible to Unix. > > > > Rowland > > > But what is the user's gidNumber attribute good for? Seems it is > never used - at least with winbind. > > Oliver >To be honest, I have never found a use for it. If a user is a member of an AD group and that group has a gidNumber it is available to be used with Unix. Rowland