Mandi! Rowland Penny via samba In chel di` si favelave...> > I'm again a bit confused... ;-((( > Yes I can see that ;-);-) Sorry for the late answer, but i was busy on other things...> Hope this helps, but feel free to ask any questions.I try to summarize: a) as i supposed 'RFC2307 group membership' are totally ignored by samba, so i can use RFC2307 schema to associate UID to users and GID to group, but the relation between UID and GID (eg, membership) in UNIX are directly derivated by Windows membership only. Good. b) changing ''primary'' windows group from 'Domain Users' to other group are supported only by samba 4.6.0 and newer. c) (Windows) membership are expressed using 'member' in group object (full DN of the users) but also using 'primaryGroupID' in user object (RID of the group; for b) above, primaryGroupID is ever '513'). d) in (Windows) membership, if a user have a primary group, the group does not have the relative full user DN in 'member'; again for b) above, group 'Doamin Users' have no 'member' because all users have primaryGroupID=513 If i'm right, i'have two question: 1) a) work also for nested group, right? eg, if i've nested group, the windows<-UNIX mapping of memberships simply ''flatten'' the windows membership in UNIX UID? 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return all the memberships correctly i need to look for 'member' in groups and 'primaryGroupID' in users; there's just an LDAP query about that? Eg, a query that, given a group name/DN, return all users (as DN or UID) that belong to that group? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 30 Jun 2017 15:17:53 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > > I'm again a bit confused... ;-((( > > Yes I can see that ;-) > > ;-) > > Sorry for the late answer, but i was busy on other things... > > > > Hope this helps, but feel free to ask any questions. > > I try to summarize: > > a) as i supposed 'RFC2307 group membership' are totally ignored by > samba, so i can use RFC2307 schema to associate UID to users and GID > to group, but the relation between UID and GID (eg, membership) in > UNIX are directly derivated by Windows membership only. Good.Correct> > b) changing ''primary'' windows group from 'Domain Users' to other > group are supported only by samba 4.6.0 and newer.Correct> > c) (Windows) membership are expressed using 'member' in group object > (full DN of the users) but also using 'primaryGroupID' in user object > (RID of the group; for b) above, primaryGroupID is ever '513'). > > d) in (Windows) membership, if a user have a primary group, the group > does not have the relative full user DN in 'member'; again for b) > above, group 'Doamin Users' have no 'member' because all users have > primaryGroupID=513 >Every Windows domain users primary group is '513' (this is Domain Users), but is not shown anywhere else in AD. there are no 'member' or 'memberof' attributes anywhere that refer to members of Domain Users. It just relies on the 'primaryGroupID' attribute (which if your care to check, is set to 515 for computers)> > If i'm right, i'have two question: > > 1) a) work also for nested group, right? eg, if i've nested group, the > windows<-UNIX mapping of memberships simply ''flatten'' the windows > membership in UNIX UID?If you add a group to a group, your Unix users will gain membership of the parent group, but the parent group must also have a gidNumber to be used on a Unix machine.> > 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return > all the memberships correctly i need to look for 'member' in groups > and 'primaryGroupID' in users; there's just an LDAP query about that? > Eg, a query that, given a group name/DN, return all users (as DN or > UID) that belong to that group?There is absolutely no need to search for the primaryGroupID of any AD user, it will always be '513' unless somebody has been stupid enough to change it, in which case they have broken the windows user. The easiest way to find out what groups a users is a member of is to search the users DN for 'memberOf', though this will only show what Windows groups the user is a member of. If you only want to find and display the Unix groups, you will then have to check each group a user is a member of, to see if it has a gidNumber attribute, you would then have to check if the group is also a member of another group and then check if this possible other group has a gidNumber and if this group is also a member of another group and so on. This could get complicated. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave... [As you are supposing, i'm back... sorry to all...]> > > Hope this helps, but feel free to ask any questions. > > I try to summarize:> > a) as i supposed 'RFC2307 group membership' are totally ignored by > > samba, so i can use RFC2307 schema to associate UID to users and GID > > to group, but the relation between UID and GID (eg, membership) in > > UNIX are directly derivated by Windows membership only. Good. > Correct> > b) changing ''primary'' windows group from 'Domain Users' to other > > group are supported only by samba 4.6.0 and newer. > Correct> > c) (Windows) membership are expressed using 'member' in group object > > (full DN of the users) but also using 'primaryGroupID' in user object > > (RID of the group; for b) above, primaryGroupID is ever '513'). > > d) in (Windows) membership, if a user have a primary group, the group > > does not have the relative full user DN in 'member'; again for b) > > above, group 'Doamin Users' have no 'member' because all users have > > primaryGroupID=513 > Every Windows domain users primary group is '513' (this is Domain > Users), but is not shown anywhere else in AD. there are no 'member' or > 'memberof' attributes anywhere that refer to members of Domain Users. > It just relies on the 'primaryGroupID' attribute (which if your care to > check, is set to 515 for computers)OK. But ''generally'' (AD domains) speaking, and specifically for samba >= 4.6, i can modify 'primaryGroupID', or...> > 2) Supposing i'm using samba >= 4.6, to make a LDAP query that return > > all the memberships correctly i need to look for 'member' in groups > > and 'primaryGroupID' in users; there's just an LDAP query about that? > > Eg, a query that, given a group name/DN, return all users (as DN or > > UID) that belong to that group? > There is absolutely no need to search for the primaryGroupID of any AD > user, it will always be '513' unless somebody has been stupid enough to > change it, in which case they have broken the windows user.you are speaking about a ''feature'' that are not practically used, and so in AD domain all is supposing that useras have primaryGroupID as 513 and hosts/machines 515?! Why samba support a feature that have not to be used?> > If i'm right, i'have two question:> > 1) a) work also for nested group, right? eg, if i've nested group, the > > windows<-UNIX mapping of memberships simply ''flatten'' the windows > > membership in UNIX UID? > If you add a group to a group, your Unix users will gain membership of > the parent group, but the parent group must also have a gidNumber to be > used on a Unix machine.Obviously. Super clear.> The easiest way to find out what groups a users is a member of is to > search the users DN for 'memberOf', though this will only show what > Windows groups the user is a member of. If you only want to find and > display the Unix groups, you will then have to check each group a > user is a member of, to see if it has a gidNumber attribute, you > would then have to check if the group is also a member of another group > and then check if this possible other group has a gidNumber and if this > group is also a member of another group and so on. This could get > complicated.Ok. Thanks. I add another question, lurking the list in these weeks. It seems to me that some users/group does not to have UID/GID (i suppose generically rfc2307 data) assigned. Eg, looking also at your answer here, seems that Admnistrator it is better not to have UID and only 'domain users' and 'domain computers' need a UID. After the migration with 'classicupgrade' i've: root at lupus:~# getent passwd | grep -i administrator root at lupus:~# getent group | egrep ":5[0-9][0-9]:" domain computers:*:515: domain admins:*:512:gaio,amaronese,lucaf domain guests:*:514: domain users:*:513:amaronese,gaio i need to remove GID for domain admins and domain guests? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Reasonably Related Threads
- User management scripts in AD mode...
- Classic upgrade and forced password change...
- RE: [PATCH V2 0/3] drivers/staging: zcache: dynamic page cache/swap compression
- Classic upgrade and forced password change...
- Upgrading samba from jessie (4.2) to stretch (4.5) in AD mode...