Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba:> On Tue, 10 Oct 2017 09:19:11 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: >> >> The admin there created a group via RSAT. >> And that group was not visible/usable on the DM server. > > It wouldn't be if the group was created as just a windows group.How to create the group as unix group via RSAT? By adding the gidNumber, right? As asked before: do I have to keep track of the next free gidNumber myself? I assume there is some cool grep to read the highest used xid from LDAP or so ... ?>> Until here there was no decision for a uidNumber or gidNumber. >> He did not set one via RSAT. Does he have to do that? > > On a DC, group will be given an xidNumber and if the libnss_winbind > links are set up, this will be used, but only on that DC > > On a Unix domain member, it is different, the xidNumber will not be > used, because it isn't available. > You have two main options, use the winbind 'rid' backend, with this, > provided you use the same smb.conf on all Unix domain members, you will > get the required UIDs & GIDs without adding anything to AD. > There is a 'gotcha' though, you will have to use the template lines in > smb.conf for user shell & home dirs. Your users and groups would also > have different IDs on the DC. > If you want to have the same IDs everywhere, you will have to use the > winbind 'ad' backend and give your users & groups uidNumber and > gidNumber attributes, you will also be able to use the other RFC2307 > attributes. > > Whichever winbind backend you use on the Unix domain members, you will > also have to set up the libnss_winbind links.OK, I think I understand. We use backend "ad" on the DM and the DM has /usr/lib64/libnss_winbind.so* and # grep winbind /etc/nsswitch.conf passwd: compat winbind group: compat winbind This is what you point me at, right?>> wbinfo --group-info="gfass" >> >> is problematic as long as the reported bug isn't fixed, correct? > > It seems to be, but only on a DC, unless you can prove otherwise ;-)I won't touch things for now ;-) thanks, Stefan
On Tue, 10 Oct 2017 15:54:45 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba: > > On Tue, 10 Oct 2017 09:19:11 +0200 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > >> > >> The admin there created a group via RSAT. > >> And that group was not visible/usable on the DM server. > > > > It wouldn't be if the group was created as just a windows group. > > How to create the group as unix group via RSAT? > By adding the gidNumber, right?Yes.> > As asked before: do I have to keep track of the next free gidNumber > myself? I assume there is some cool grep to read the highest used xid > from LDAP or so ... ?If you are using RSAT with the Unix Attributes tab it should create a couple of extra attributes here: dn: CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com Where 'samdom' will be your workgroup and 'DC=samdom,DC=example,DC=com' is your suffix. The attributes are: msSFU30MaxUidNumber msSFU30MaxGidNumber and they contain the next Uid & Gid to use. These attributes are only used by the Unix Attributes tab on RSAT, but there is nothing stopping you writing a script to use them (hint, hint)> > > >> Until here there was no decision for a uidNumber or gidNumber. > >> He did not set one via RSAT. Does he have to do that? > > > > On a DC, group will be given an xidNumber and if the libnss_winbind > > links are set up, this will be used, but only on that DC > > > > On a Unix domain member, it is different, the xidNumber will not be > > used, because it isn't available. > > You have two main options, use the winbind 'rid' backend, with this, > > provided you use the same smb.conf on all Unix domain members, you > > will get the required UIDs & GIDs without adding anything to AD. > > There is a 'gotcha' though, you will have to use the template lines > > in smb.conf for user shell & home dirs. Your users and groups would > > also have different IDs on the DC. > > If you want to have the same IDs everywhere, you will have to use > > the winbind 'ad' backend and give your users & groups uidNumber and > > gidNumber attributes, you will also be able to use the other RFC2307 > > attributes. > > > > Whichever winbind backend you use on the Unix domain members, you > > will also have to set up the libnss_winbind links. > > OK, I think I understand. > > We use backend "ad" on the DM and the DM has > /usr/lib64/libnss_winbind.so* and > > # grep winbind /etc/nsswitch.conf > passwd: compat winbind > group: compat winbind > > This is what you point me at, right?Yes, but you also need PAM Rowland
Here, a script you can use as start point.  ;-) 
Run it and it shows the command to "edit" the sam.ldb. 
Just replace ldbedit with ldbsearch and script agains it. 
cat addc-change-nix-rfc2307.sh
#!/bin/bash
# Per default Active Directory starts assigning UIDs/GIDs both at 10000.
# Defining the next UID/GID to use is not done with samba-tool (yet)
#
# Everytime a UID/GID is assigned, Active Directory Users and Computers (ADUC) 
# stores the next unused UID/GID inside the Active Directory.
# You can change the next UID/GID that will be assigned. E. g. if you require 
# to start UIDs at 20000 and GID at 50000, change the values on a Domain
Controller:
#
# Example:
# ldbedit -H /usr/local/samba/private/sam.ldb \
# -b
CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com
# 
# Adapt the following two attributes to your needs and save the changes.
# msSFU30MaxUidNumber: 20000
# msSFU30MaxGidNumber: 50000
PRIVATEDIR="$(sudo samba -b | grep PRIVATE_DIR |awk '{ print $NF
}')"
NETBIOSNAME="$(samba-tool domain info `hostname -f` | grep Netbios |  awk
'{ print $NF }')"
FOREST_DC="$(samba-tool domain info `hostname -f` | grep Forest | awk
'{ print $NF }')"
FOREST_SUB1="$(echo $FOREST_DC | cut -d"." -f1)"
FOREST_SUB2="$(echo $FOREST_DC | cut -d"." -f2)"
FOREST_SUB3="$(echo $FOREST_DC | cut -d"." -f3)"
echo "The command to run is : sudo ldbedit -H
"$PRIVATEDIR"/sam.ldb -s base -b
CN=${NETBIOSNAME},CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=${FOREST_SUB1},DC=${FOREST_SUB2},DC=${FOREST_SUB3}"
Greetz, 
Louis
 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: dinsdag 10 oktober 2017 16:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Domain member server: user access
> 
> On Tue, 10 Oct 2017 15:54:45 +0200
> "Stefan G. Weichinger via samba" <samba at lists.samba.org>
wrote:
> 
> > Am 2017-10-10 um 09:57 schrieb Rowland Penny via samba:
> > > On Tue, 10 Oct 2017 09:19:11 +0200
> > > "Stefan G. Weichinger via samba" <samba at
lists.samba.org> wrote:
> > >>
> > >> The admin there created a group via RSAT.
> > >> And that group was not visible/usable on the DM server.
> > > 
> > > It wouldn't be if the group was created as just a windows
group.
> > 
> > How to create the group as unix group via RSAT?
> > By adding the gidNumber, right?
> 
> Yes.
> 
> > 
> > As asked before: do I have to keep track of the next free gidNumber 
> > myself? I assume there is some cool grep to read the 
> highest used xid 
> > from LDAP or so ... ?
> 
> If you are using RSAT with the Unix Attributes tab it should 
> create a couple of extra attributes here:
> 
> dn:
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC
> =samdom,DC=example,DC=com
> 
> Where 'samdom' will be your workgroup and 
> 'DC=samdom,DC=example,DC=com'
> is your suffix.
> 
> The attributes are:
> 
> msSFU30MaxUidNumber
> msSFU30MaxGidNumber
> 
> and they contain the next Uid & Gid to use.
> 
> These attributes are only used by the Unix Attributes tab on 
> RSAT, but there is nothing stopping you writing a script to 
> use them (hint, hint)
> 
> > 
> > 
> > >> Until here there was no decision for a uidNumber or
gidNumber.
> > >> He did not set one via RSAT. Does he have to do that?
> > > 
> > > On a DC, group will be given an xidNumber and if the 
> libnss_winbind 
> > > links are set up, this will be used, but only on that DC
> > > 
> > > On a Unix domain member, it is different, the xidNumber 
> will not be 
> > > used, because it isn't available.
> > > You have two main options, use the winbind 'rid' backend,
> with this, 
> > > provided you use the same smb.conf on all Unix domain 
> members, you 
> > > will get the required UIDs & GIDs without adding anything to
AD.
> > > There is a 'gotcha' though, you will have to use the 
> template lines 
> > > in smb.conf for user shell & home dirs. Your users and 
> groups would 
> > > also have different IDs on the DC.
> > > If you want to have the same IDs everywhere, you will have to use
> > > the winbind 'ad' backend and give your users & groups
> uidNumber and 
> > > gidNumber attributes, you will also be able to use the 
> other RFC2307 
> > > attributes.
> > > 
> > > Whichever winbind backend you use on the Unix domain members, you
> > > will also have to set up the libnss_winbind links.
> > 
> > OK, I think I understand.
> > 
> > We use backend "ad" on the DM and the DM has
> > /usr/lib64/libnss_winbind.so* and
> > 
> > # grep winbind /etc/nsswitch.conf
> > passwd:      compat winbind
> > group:       compat winbind
> > 
> > This is what you point me at, right?
> 
> Yes, but you also need PAM
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
Am 2017-10-10 um 16:25 schrieb Rowland Penny via samba:>> How to create the group as unix group via RSAT? >> By adding the gidNumber, right? > > Yes.thanks> If you are using RSAT with the Unix Attributes tab it should create a > couple of extra attributes here: > > dn: > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,DC=samdom,DC=example,DC=com > > Where 'samdom' will be your workgroup and 'DC=samdom,DC=example,DC=com' > is your suffix. > > The attributes are: > > msSFU30MaxUidNumber > msSFU30MaxGidNumber > > and they contain the next Uid & Gid to use. > > These attributes are only used by the Unix Attributes tab on RSAT, but > there is nothing stopping you writing a script to use them (hint, hint)will do my tests based on L.P.H. script ;-)> Yes, but you also need PAMI have PAM. ;-) I assume you think of something more specific here? Stefan
Am 2017-10-10 um 16:43 schrieb L.P.H. van Belle via samba:> Here, a script you can use as start point. ;-) > > Run it and it shows the command to "edit" the sam.ldb. > Just replace ldbedit with ldbsearch and script agains it.looks promising already, thanks a lot