Hai Rowland, Im pretty sure this is a bug in the DC part. I'll show. On the DC. dc1:~# getent passwd winadmin NTDOM\winadmin:*:10000:100::/home/users/winadmin:/bin/bash wbinfo --group-info="Domain Users" NTDOM\domain users:x:100: id winadmin uid=10000(NTDOM\winadmin) gid=100(users) groups=100(users),3000004(BAZRTD\group policy creator owners),3000008(NTDOM\domain admins) mem1:~$ getent passwd winadmin winadmin:*:10000:10000:WinAdmin ICT:/home/users/windmin:/bin/bash wbinfo --group-info="Domain Users" domain users:x:10000: I can say i never ever use(d) GID 100. Now i re-checed my users and group from within windows. This user, winadmin, primary GID is "Domain Users" with uid 10000 so the member resolves correct. I rechecked my group, the UnixTab show the correct "nis" domain and correct GID 10000. I rechecked everything i could and it all shows it should be 10000. Only the DC output tells us its 100. Anyone already on 4.7 who can test this by chance? Or anyone on 4.6.7./4.6.6 who can test this also? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Stefan G. > Weichinger via samba > Verzonden: maandag 25 september 2017 17:45 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Domain member server: user access > > Am 2017-09-25 um 17:41 schrieb Rowland Penny via samba: > > On Mon, 25 Sep 2017 17:33:55 +0200 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > >> maybe I am still wrong but I assume I have to use > "--gid-number=10513" > >> when creating a user, and not "100" ? > >> > >> as in: > >> > >> # samba-tool user create User5 P#ssw5rd --nis-domain=ARBEITSGRUPPE > >> --unix-home=/home/User5 --uid-number=10098 --login-shell=/bin/false > >> --gid-number=10513 > > > > Yes > > > >> > >> Or skip that option ? > > > > No, you will get an error message if you do (unless you > also drop the > > '--nis-domain' option as well) > > ok. We will try that tmrw ... got to leave now. > Have a nice evening everyone (at least here it is evening ...) > > stefan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> Im pretty sure this is a bug in the DC part.Ahem, sorry, but i'm lost in following this therad. I've hust setup my test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package, lous) on a debian jessie. Very minimal configuration: root at vdcsv1:~# samba-tool testparm Press enter to see a dump of your service definitions # Global parameters [global] netbios name = VDCSV1 realm = AD.FVG.LNF.IT server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG server role = active directory domain controller template homedir = /home/%U template shell = /bin/bash idmap_ldb:use rfc2307 = yes [netlogon] path = /var/lib/samba/sysvol/ad.fvg.lnf.it/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No and i've created a user: samba-tool user add gaio --use-username-as-cn --surname=Gaiarin --given-name=Marco --unix-home=/home/gaio --uid=gaio --uid-number=10000 --gecos="Marco Gaiarin" --login-shell=/bin/bash and now: root at vdcsv1:~# id gaio uid=10000(LNFFVG\gaio) gid=100(users) gruppi=100(users),10000(LNFFVG\unixadm),3000008(LNFFVG\domain admins),3000005(LNFFVG\denied rodc password replication group),3000005(LNFFVG\denied rodc password replication group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) root at vdcsv1:~# getent group "Domain Users" LNFFVG\domain users:x:100: root at vdcsv1:~# wbinfo -G 100 S-1-5-21-160080369-3601385002-3131615632-513 I've done something wrong, or is the domain provisioning in samba-tool that associate 'Domain Users' to gid 100? Another question: there's no way to modify users and group with samba-tool? I need to dron 'domain users' and recreate it? ;-) Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 26 Sep 2017 12:49:26 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > Im pretty sure this is a bug in the DC part. > > Ahem, sorry, but i'm lost in following this therad. I've hust setup my > test domain, using samba 2:4.5.8+dfsg-2+deb9u1~bpo8+1 (your package, > lous) on a debian jessie. > > Very minimal configuration: > > root at vdcsv1:~# samba-tool testparm > Press enter to see a dump of your service definitions > > # Global parameters > [global] > netbios name = VDCSV1 > realm = AD.FVG.LNF.IT > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = LNFFVG > server role = active directory domain controller > template homedir = /home/%U > template shell = /bin/bash > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/ad.fvg.lnf.it/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > and i've created a user: > > samba-tool user add gaio --use-username-as-cn --surname=Gaiarin > --given-name=Marco --unix-home=/home/gaio --uid=gaio > --uid-number=10000 --gecos="Marco Gaiarin" --login-shell=/bin/bash > > and now: > > root at vdcsv1:~# id gaio > uid=10000(LNFFVG\gaio) gid=100(users) > gruppi=100(users),10000(LNFFVG\unixadm),3000008(LNFFVG\domain > admins),3000005(LNFFVG\denied rodc password replication > group),3000005(LNFFVG\denied rodc password replication > group),3000009(BUILTIN\users),3000000(BUILTIN\administrators) > > root at vdcsv1:~# getent group "Domain Users" > LNFFVG\domain users:x:100:Try running 'net cache flush' then run the above command again.> root at vdcsv1:~# wbinfo -G 100 > S-1-5-21-160080369-3601385002-3131615632-513 > > I've done something wrong, or is the domain provisioning in samba-tool > that associate 'Domain Users' to gid 100?No, you haven't done anything wrong and yes the provision does set Domain Users to '100' in idmap.ldb.> > > Another question: there's no way to modify users and group with > samba-tool? I need to dron 'domain users' and recreate it? ;-)Do not remove Domain Users, but you are correct, there is no way to modify a user or group with samba-tool (you can do this for a user with 4.7.0), but you can use ldbedit. Rowland
Hai Rowland,> > No, you haven't done anything wrong and yes the provision > does set Domain Users to '100' in idmap.ldb. >Ow.. This i did not know, only wondering why its not BUILTIN\users ( how it is in windows ). Do you know as of which version this is? Of as of start, i really never noticed this.> > Do not remove Domain Users, but you are correct, there is no > way to modify a user or group with samba-tool (you can do > this for a user with 4.7.0), but you can use ldbedit. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >Ok, i did read somewhere that Samba uses S-1-22-1 for users and S1-22-2 for groups. wbinfo -G 100 S-1-5-21-3821322978-3959480180-962995944-513 wbinfo -G 10000 S-1-22-2-10000 S1-22-2-10000 Is the unix group with uid 10000 ( with is also in my case "Domain Users" ) But how this maps again in samba, that i really dont know. Arg, very confusion all.. Well, at least we now know this by design. Pfew.. Thanks for all the info guys. Greetz, Louis