On Mon, 23 Jul 2018 18:22:55 +0800 d tbsky <tbskyd at gmail.com> wrote:> 2018-07-23 18:01 GMT+08:00 Rowland Penny via samba > <samba at lists.samba.org>: > > On Mon, 23 Jul 2018 17:19:07 +0800 > > When I said 'ignored', I should have said 'ignored by Unix', if your > > users are logging into Windows, then they are not using the > > uidNumber & gidNumber attributes, they are using the objectSid & > > primaryGroupID attributes. > > sorry when I said "login" I should said "login samba file server". > > > No, ALL users (Unix or Windows) rely on the primaryGroupID attribute > > and this MUST be set to '513', if you change this, you break AD. > > Before 4.6.0, Unix users relied on Domain Users having a gidNumber, > > from 4.6.0, you can override this by giving a group a gidNumber and > > using this gidNumber for the users. > > NOTE: you can use different groups for different users. > > It still works for me, it sounds like you were doing something you > > shouldn't. > > I think maybe the difference is that you still stay on default > "domain users" group as primary group.No, I have Unix domain members that use a groups gidNumber as a users users primary group, I just don't alter the primaryGroupID attribute.> none of our users use the default "domain users" as primary group. I > don't know if this is something I should not do. > but they work fine before. and there seems no document warning about > we should not change the default primary group.Then it looks like I need to add something to the Samba wiki about this. Rowland
2018-07-23 18:38 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 23 Jul 2018 18:22:55 +0800 > d tbsky <tbskyd at gmail.com> wrote: > >> 2018-07-23 18:01 GMT+08:00 Rowland Penny via samba >> <samba at lists.samba.org>: >> > On Mon, 23 Jul 2018 17:19:07 +0800 >> > When I said 'ignored', I should have said 'ignored by Unix', if your >> > users are logging into Windows, then they are not using the >> > uidNumber & gidNumber attributes, they are using the objectSid & >> > primaryGroupID attributes. >> >> sorry when I said "login" I should said "login samba file server". >> >> > No, ALL users (Unix or Windows) rely on the primaryGroupID attribute >> > and this MUST be set to '513', if you change this, you break AD. >> > Before 4.6.0, Unix users relied on Domain Users having a gidNumber, >> > from 4.6.0, you can override this by giving a group a gidNumber and >> > using this gidNumber for the users. >> > NOTE: you can use different groups for different users. >> > It still works for me, it sounds like you were doing something you >> > shouldn't. >> >> I think maybe the difference is that you still stay on default >> "domain users" group as primary group. > > No, I have Unix domain members that use a groups gidNumber as a users > users primary group, I just don't alter the primaryGroupID attribute. > >> none of our users use the default "domain users" as primary group. I >> don't know if this is something I should not do. >> but they work fine before. and there seems no document warning about >> we should not change the default primary group. > > Then it looks like I need to add something to the Samba wiki about this.Hi: maybe. please wait a moment. I will re-setup the environment to check it the theory is correct.
> 2018-07-23 18:38 GMT+08:00 Rowland Penny via samba <samba at lists.samba.org>: >> Then it looks like I need to add something to the Samba wiki about this. > > Hi: > maybe. please wait a moment. I will re-setup the environment to > check it the theory is correct.Hi: the theory seems correct. although I don't have windows with ADUC for my testing domain, I can only use ldbmodify to add rfc2307 attributes for "Domain Users" group like below: msSFU30NisDomain: samdom gidNumber: 10513 msSFU30Name: Domain Users the gidNumber seems can be anything inside the idmap range. then I create user and I can use "getent passwd" to see the user without user login. BTW, I don't see document in the wiki for adding rfc2307 attributes for "domain users". maybe I miss it?