On Mon, 23 Jul 2018 16:46:50 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>:> >> >>> idmap config SAMDOM:range = 1000-999999> >> idmap config SAMDOM:unix_primary_group = yes > > > > That isn't a bug, it is a feature ;-) > > Before 4.6.0 everyone got 'Domain Users' as their primary Unix > > group, but from 4.6.0, you can give users a gidNumber attribute > > and, with the line above, this will be used for the users primary > > Unix group. Whatever gidNumber is used, this must point to a group > > i.e. the group must have the same gidNumber. > > If the line doesn't exist, it falls back to using Domain Users, so > > Domain Users must have a gidNUmber. > > > > Rowland > > Hi: > yes I like this feature and from now on I will use this feature. > but unfortunately the fall back (default setting) is not working. > I think it is a bug because " idmap config SAMDOM:unix_primary_group > no" is not working as expected, although I will never use that again.That is the default setting and as such, the line doesn't need to be there unless you want/need to set it to 'yes' If it isn't set then Domain Users must have a gidNumber attribute containing a number inside the range set in smb.conf, in your case '1000-999999' If a gidNumber isn't set in the users object (again inside the range) and Domain users doesn't have a gidNumber, then all your users will be ignored. Rowland
2018-07-23 17:02 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 23 Jul 2018 16:46:50 +0800 > d tbsky <tbskyd at gmail.com> wrote: > >> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba >> <samba at lists.samba.org>: > > >> >> >>> idmap config SAMDOM:range = 1000-999999 > >> >> idmap config SAMDOM:unix_primary_group = yes >> > >> > That isn't a bug, it is a feature ;-) >> > Before 4.6.0 everyone got 'Domain Users' as their primary Unix >> > group, but from 4.6.0, you can give users a gidNumber attribute >> > and, with the line above, this will be used for the users primary >> > Unix group. Whatever gidNumber is used, this must point to a group >> > i.e. the group must have the same gidNumber. >> > If the line doesn't exist, it falls back to using Domain Users, so >> > Domain Users must have a gidNUmber. >> > >> > Rowland >> >> Hi: >> yes I like this feature and from now on I will use this feature. >> but unfortunately the fall back (default setting) is not working. >> I think it is a bug because " idmap config SAMDOM:unix_primary_group >> no" is not working as expected, although I will never use that again. > > That is the default setting and as such, the line doesn't need to be > there unless you want/need to set it to 'yes' > If it isn't set then Domain Users must have a gidNumber attribute > containing a number inside the range set in smb.conf, in your case > '1000-999999' > If a gidNumber isn't set in the users object (again inside the range) > and Domain users doesn't have a gidNumber, then all your users will be > ignored. > > RowlandHi: yes I know. if the users are ignored, they can not login. in my case, all users can login, so I didn't notice the difference. until I found "getent passwd" and "id xxxx" are not working. with "unix_primary_group =no", all users need to have a valid primary group id. but maybe now there are new method to setup primary group id I don't know. in old days we need to use windows ADUC or ldbmodify to set up primary group id. or as you said, let "domain users" has an rfc2037 gid. they are working fine until recent 4.6/4.7
On Mon, 23 Jul 2018 17:19:07 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 17:02 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>: > > On Mon, 23 Jul 2018 16:46:50 +0800 > > d tbsky <tbskyd at gmail.com> wrote: > > > >> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba > >> <samba at lists.samba.org>: > > > > > >> >> >>> idmap config SAMDOM:range = 1000-999999 > > > >> >> idmap config SAMDOM:unix_primary_group = yes > >> > > >> > That isn't a bug, it is a feature ;-) > >> > Before 4.6.0 everyone got 'Domain Users' as their primary Unix > >> > group, but from 4.6.0, you can give users a gidNumber attribute > >> > and, with the line above, this will be used for the users primary > >> > Unix group. Whatever gidNumber is used, this must point to a > >> > group i.e. the group must have the same gidNumber. > >> > If the line doesn't exist, it falls back to using Domain Users, > >> > so Domain Users must have a gidNUmber. > >> > > >> > Rowland > >> > >> Hi: > >> yes I like this feature and from now on I will use this > >> feature. but unfortunately the fall back (default setting) is not > >> working. I think it is a bug because " idmap config > >> SAMDOM:unix_primary_group = no" is not working as expected, > >> although I will never use that again. > > > > That is the default setting and as such, the line doesn't need to be > > there unless you want/need to set it to 'yes' > > If it isn't set then Domain Users must have a gidNumber attribute > > containing a number inside the range set in smb.conf, in your case > > '1000-999999' > > If a gidNumber isn't set in the users object (again inside the > > range) and Domain users doesn't have a gidNumber, then all your > > users will be ignored. > > > > Rowland > > Hi: > yes I know. if the users are ignored, they can not login. in my > case, all users can login, so I didn't notice the difference.When I said 'ignored', I should have said 'ignored by Unix', if your users are logging into Windows, then they are not using the uidNumber & gidNumber attributes, they are using the objectSid & primaryGroupID attributes.>until I > found "getent passwd" and "id xxxx" are not working.They are the ones that rely on the uidNumber and gidNumber or primaryGroupID attributes.> > with "unix_primary_group =no", all users need to have a valid primary > group id.No, ALL users (Unix or Windows) rely on the primaryGroupID attribute and this MUST be set to '513', if you change this, you break AD. Before 4.6.0, Unix users relied on Domain Users having a gidNumber, from 4.6.0, you can override this by giving a group a gidNumber and using this gidNumber for the users. NOTE: you can use different groups for different users.> but maybe now there are new method to setup primary group > id I don't know. in old days we need to use windows ADUC or ldbmodify > to set up primary group id.If, as it sounds, you were altering the users primaryGroupID attribute, then you should not have been doing this, because Windows expects every user to be a member of Domain Users.> or as you said, let "domain users" has > an rfc2037 gid. they are working fine until recent 4.6/4.7It still works for me, it sounds like you were doing something you shouldn't. Rowland