On Mon, 23 Jul 2018 17:19:07 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 17:02 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>: > > On Mon, 23 Jul 2018 16:46:50 +0800 > > d tbsky <tbskyd at gmail.com> wrote: > > > >> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba > >> <samba at lists.samba.org>: > > > > > >> >> >>> idmap config SAMDOM:range = 1000-999999 > > > >> >> idmap config SAMDOM:unix_primary_group = yes > >> > > >> > That isn't a bug, it is a feature ;-) > >> > Before 4.6.0 everyone got 'Domain Users' as their primary Unix > >> > group, but from 4.6.0, you can give users a gidNumber attribute > >> > and, with the line above, this will be used for the users primary > >> > Unix group. Whatever gidNumber is used, this must point to a > >> > group i.e. the group must have the same gidNumber. > >> > If the line doesn't exist, it falls back to using Domain Users, > >> > so Domain Users must have a gidNUmber. > >> > > >> > Rowland > >> > >> Hi: > >> yes I like this feature and from now on I will use this > >> feature. but unfortunately the fall back (default setting) is not > >> working. I think it is a bug because " idmap config > >> SAMDOM:unix_primary_group = no" is not working as expected, > >> although I will never use that again. > > > > That is the default setting and as such, the line doesn't need to be > > there unless you want/need to set it to 'yes' > > If it isn't set then Domain Users must have a gidNumber attribute > > containing a number inside the range set in smb.conf, in your case > > '1000-999999' > > If a gidNumber isn't set in the users object (again inside the > > range) and Domain users doesn't have a gidNumber, then all your > > users will be ignored. > > > > Rowland > > Hi: > yes I know. if the users are ignored, they can not login. in my > case, all users can login, so I didn't notice the difference.When I said 'ignored', I should have said 'ignored by Unix', if your users are logging into Windows, then they are not using the uidNumber & gidNumber attributes, they are using the objectSid & primaryGroupID attributes.>until I > found "getent passwd" and "id xxxx" are not working.They are the ones that rely on the uidNumber and gidNumber or primaryGroupID attributes.> > with "unix_primary_group =no", all users need to have a valid primary > group id.No, ALL users (Unix or Windows) rely on the primaryGroupID attribute and this MUST be set to '513', if you change this, you break AD. Before 4.6.0, Unix users relied on Domain Users having a gidNumber, from 4.6.0, you can override this by giving a group a gidNumber and using this gidNumber for the users. NOTE: you can use different groups for different users.> but maybe now there are new method to setup primary group > id I don't know. in old days we need to use windows ADUC or ldbmodify > to set up primary group id.If, as it sounds, you were altering the users primaryGroupID attribute, then you should not have been doing this, because Windows expects every user to be a member of Domain Users.> or as you said, let "domain users" has > an rfc2037 gid. they are working fine until recent 4.6/4.7It still works for me, it sounds like you were doing something you shouldn't. Rowland
2018-07-23 18:01 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 23 Jul 2018 17:19:07 +0800 > When I said 'ignored', I should have said 'ignored by Unix', if your > users are logging into Windows, then they are not using the uidNumber & > gidNumber attributes, they are using the objectSid & primaryGroupID > attributes.sorry when I said "login" I should said "login samba file server".> No, ALL users (Unix or Windows) rely on the primaryGroupID attribute > and this MUST be set to '513', if you change this, you break AD. > Before 4.6.0, Unix users relied on Domain Users having a gidNumber, > from 4.6.0, you can override this by giving a group a gidNumber and > using this gidNumber for the users. > NOTE: you can use different groups for different users. > It still works for me, it sounds like you were doing something you > shouldn't.I think maybe the difference is that you still stay on default "domain users" group as primary group. none of our users use the default "domain users" as primary group. I don't know if this is something I should not do. but they work fine before. and there seems no document warning about we should not change the default primary group.
2018-07-23 18:01 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 23 Jul 2018 17:19:07 +0800 > d tbsky <tbskyd at gmail.com> wrote: > If, as it sounds, you were altering the users primaryGroupID attribute, > then you should not have been doing this, because Windows expects every > user to be a member of Domain Users.Hi: sorry forgot to mention. all our users are still belong to "Domain Users". just "domain users" is not their primary group. windows has no complain about this. you can change primary group by a single click at windows ADUC, so I think it is by design for windows AD.
On Mon, 23 Jul 2018 18:22:55 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 18:01 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>: > > On Mon, 23 Jul 2018 17:19:07 +0800 > > When I said 'ignored', I should have said 'ignored by Unix', if your > > users are logging into Windows, then they are not using the > > uidNumber & gidNumber attributes, they are using the objectSid & > > primaryGroupID attributes. > > sorry when I said "login" I should said "login samba file server". > > > No, ALL users (Unix or Windows) rely on the primaryGroupID attribute > > and this MUST be set to '513', if you change this, you break AD. > > Before 4.6.0, Unix users relied on Domain Users having a gidNumber, > > from 4.6.0, you can override this by giving a group a gidNumber and > > using this gidNumber for the users. > > NOTE: you can use different groups for different users. > > It still works for me, it sounds like you were doing something you > > shouldn't. > > I think maybe the difference is that you still stay on default > "domain users" group as primary group.No, I have Unix domain members that use a groups gidNumber as a users users primary group, I just don't alter the primaryGroupID attribute.> none of our users use the default "domain users" as primary group. I > don't know if this is something I should not do. > but they work fine before. and there seems no document warning about > we should not change the default primary group.Then it looks like I need to add something to the Samba wiki about this. Rowland
On Mon, 23 Jul 2018 18:34:36 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 18:01 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>: > > On Mon, 23 Jul 2018 17:19:07 +0800 > > d tbsky <tbskyd at gmail.com> wrote: > > If, as it sounds, you were altering the users primaryGroupID > > attribute, then you should not have been doing this, because > > Windows expects every user to be a member of Domain Users. > > Hi: > sorry forgot to mention. all our users are still belong to "Domain > Users". just "domain users" is not their primary group. > windows has no complain about this. you can change primary group by a > single click at windows ADUC, so I think it is by design for windows > AD.Yes, but what tab are you using, and why do feel you need to do this ? Rowland