Mandi! Rowland Penny via samba In chel di` si favelave... Sorry, i come back to that:> Not sure what you are getting at here, if you add a user to a group in > AD, you not only get a record in the group object, you also get a > record in the users object > > dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > ..... > member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > ..... > memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > > So you don't have to modify the user at all, again samba-tool can do > things like this for you, see 'samba-tool group --help'Because i've not clear how group management works in AD. I'm using 'Active Directory Users and Computers', so i think a pretty standard tool. Some question. a) i've not found 'member' in user object. b) membership are accounted in groups via the 'member' field in group object. Membership are expressed as full user DN. c) if, for the group object, i add some member in 'UNIX Attributes', they are not saved (eg, if i add some user and i do 'Apply' and then 'OK', if i came back to the group, UNIX attributes membership are empty. d) if, for a user, i set a primary group in 'Member of' (NOT UNIX attributes), user object get a 'primaryGroupID' data with the RID of the group, and DESAPPEAR the relative data 'member' in the group. Argh! So, seems to me that: 1) probably for my fault, some of the UNIX data (eg, group membership) does not work. I think also can be irrilevant, because winbind/sssd get unix membership by other way (eg, ''windows'' mempership and not UNIX/rfc2203 ones). 2) if i need to know what users belog to group 'X', i've to catch all DN listed in 'member' of that group, AND all users that have as 'primaryGroupID' the RID of the group. I'm again a bit confused... ;-((( -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 23 Jun 2017 17:34:48 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > Sorry, i come back to that: > > > Not sure what you are getting at here, if you add a user to a group > > in AD, you not only get a record in the group object, you also get a > > record in the users object > > > > dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > > ..... > > member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > > > dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com > > ..... > > memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com > > > > So you don't have to modify the user at all, again samba-tool can do > > things like this for you, see 'samba-tool group --help' > > Because i've not clear how group management works in AD. I'm using > 'Active Directory Users and Computers', so i think a pretty standard > tool. Some question. > > a) i've not found 'member' in user object. > > b) membership are accounted in groups via the 'member' field in group > object. Membership are expressed as full user DN. > > c) if, for the group object, i add some member in 'UNIX Attributes', > they are not saved (eg, if i add some user and i do 'Apply' and then > 'OK', if i came back to the group, UNIX attributes membership are > empty. > > d) if, for a user, i set a primary group in 'Member of' (NOT UNIX > attributes), user object get a 'primaryGroupID' data with the RID of > the group, and DESAPPEAR the relative data 'member' in the group. > Argh! > > > So, seems to me that: > > 1) probably for my fault, some of the UNIX data (eg, group membership) > does not work. I think also can be irrilevant, because winbind/sssd > get unix membership by other way (eg, ''windows'' mempership and not > UNIX/rfc2203 ones). > > 2) if i need to know what users belog to group 'X', i've to catch all > DN listed in 'member' of that group, AND all users that have > as 'primaryGroupID' the RID of the group. > > > I'm again a bit confused... ;-((( >Yes I can see that ;-) I can also see why, your problem is that you are using the Unix attributes tab. Lets see if can explain this ;-) First and foremost, all your users are Windows users and your groups are the same. When you want a user to be a Unix user as well, you add the required RFC2307 attributes, the same goes for groups. Just use the 'Unix attributes' tab to add the required attributes and, if you are using a version of Samba before 4.6.0, Ensure the primary group is set to Domain Users, from 4.6.0, you can change it to any group that has a gidNumber. If you create a group, lets call ours 'unixgroup', you would first create it as a Windows group, you would then add a gidNumber attribute using the 'Unix attributes' tab for the group. The group 'unixgroup' would then be a Windows group AND a Unix group. Now this is where you are going wrong, you do not add Unix users to a Unix group by using a 'Unix attributes' tab, you can, but it will not do anything from a Unix perspective (or Windows, come to that). Remember what I said about all users & groups being Windows ones ? Just add the Windows/Unix users to the Windows/Unix group using the standard Windows tools and Unix will see them as Unix users of Unix groups So, to shorten the above: Create user & groups Extend to Unix users & groups with the 'Unix attributes' tab Pretend they are just Windows users when adding the users to a group. Hope this helps, but feel free to ask any questions. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> > I'm again a bit confused... ;-((( > Yes I can see that ;-);-) Sorry for the late answer, but i was busy on other things...> Hope this helps, but feel free to ask any questions.I try to summarize: a) as i supposed 'RFC2307 group membership' are totally ignored by samba, so i can use RFC2307 schema to associate UID to users and GID to group, but the relation between UID and GID (eg, membership) in UNIX are directly derivated by Windows membership only. Good. b) changing ''primary'' windows group from 'Domain Users' to other group are supported only by samba 4.6.0 and newer. c) (Windows) membership are expressed using 'member' in group object (full DN of the users) but also using 'primaryGroupID' in user object (RID of the group; for b) above, primaryGroupID is ever '513'). d) in (Windows) membership, if a user have a primary group, the group does not have the relative full user DN in 'member'; again for b) above, group 'Doamin Users' have no 'member' because all users have primaryGroupID=513 If i'm right, i'have two question: 1) a) work also for nested group, right? eg, if i've nested group, the windows<-UNIX mapping of memberships simply ''flatten'' the windows membership in UNIX UID? 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return all the memberships correctly i need to look for 'member' in groups and 'primaryGroupID' in users; there's just an LDAP query about that? Eg, a query that, given a group name/DN, return all users (as DN or UID) that belong to that group? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)