2018-07-24 16:53 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 24 Jul 2018 15:57:46 +0200 > Michal <Michal67M at seznam.cz> wrote: > > > For being honest, in my previous tests this user's (user test1) new > > files was created with NIS\audio group as extected; but other user's > > files (user amistest) was created with "NIS\domain users" group (in > > the same "audio" directory). This lasted a few days. > > > > It looked like > > drwxr-sr-x 2 NIS\amistest NIS\audio 4096 Jul 24 08:17 > > amistestdir drwxrwsr-x+ 2 NIS\amistest NIS\domain users 4096 Jul 24 > > 11:48 amistestdir2 -> why NOT NIS\audio group? > > -rw-r--r-- 1 NIS\amistest NIS\audio 0 Jul 24 08:17 > > amistestfile -rwxrwxr-x+ 1 NIS\amistest NIS\domain users 7 Jul 24 > > 11:49 amistestfile2 -> why NOT NIS\audio group? > > drwxr-sr-x 2 NIS\test1 NIS\audio 4096 Jul 24 08:15 test1dir > > -rw-r--r-- 1 NIS\test1 NIS\audio 0 Jul 24 08:16 > > test1file > > > > But during writing my initial post about this topic, files of both > > these users started to have "NIS\domain users" group. I am not aware > > of change which could be the reason. > > > > Do the users have a gidNumber attribute containing the gidNumber of the > required group and if so, is the gidNumber inside the range set in > smb.conf and is the version of Samba >= 4.6.0 >su - amistest Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 $ id uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\pacs_diagnostik),10001(BUILTIN\users) -bash-4.2$ logout [root at samba4 audio]# su - test1 Last login: Tue Jul 24 11:52:35 CEST 2018 on pts/4 $ id uid=2075(NIS\test1) gid=20(games) groups=20(games),513(NIS\domain users),2157(NIS\audio),2186(NIS\pacs_diagnostik),10001(BUILTIN\users) # smbd -V Version 4.8.3 Michal> > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Tue, 24 Jul 2018 22:50:16 +0200 Michal <Michal67M at seznam.cz> wrote:> 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > <samba at lists.samba.org>: > > > > Do the users have a gidNumber attribute containing the gidNumber of > > the required group and if so, is the gidNumber inside the range set > > in smb.conf and is the version of Samba >= 4.6.0 > > su - amistest > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > $ id > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\pacs_diagnostik),10001(BUILTIN\users)Your ranges are really wrong, '100-9999' for the 'NIS' (and this is a stupid name) range, but I think it shows something strange, if I run 'id rowland' on a Unix domain member, I get: uid=10000(rowland) gid=10000(domain users) groups=10000(domain users),102(netdev),1001(unixtest),10002(unixgroup),10010(group12),10024(unix admins),10004(testgroup),10011(printeradmin),2001(BUILTIN\users),2000(BUILTIN\administrators) My 'idmap config' lines are similar to yours, but, as you can see, the users 'gid' is 'gid=10000(domain users)', yours is 'gid=20(games)', how is this possible ? '20' is outside the '100-9999' range. Do you have users & groups in AD and in /etc/passwd & /etc/group ? What is the OS What is the Active directory DC ? Rowland
2018-07-24 23:26 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 24 Jul 2018 22:50:16 +0200 > Michal <Michal67M at seznam.cz> wrote: > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > > Do the users have a gidNumber attribute containing the gidNumber of > > > the required group and if so, is the gidNumber inside the range set > > > in smb.conf and is the version of Samba >= 4.6.0 > > > > su - amistest > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > > $ id > > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157( > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\ > pacs_diagnostik),10001(BUILTIN\users) > > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is a > stupid name) range, but I think it shows something strange, if I run > 'id rowland' on a Unix domain member, I get: >Yes, I know, but the name came from "Nemocnicni Informacni System", which means "hospital information system" in Czech, many years ago.. The user and group uid numbers was taken from our hp-ux, which was primary source of users and groups when we started with LDAP. The gid of 20 is "users" in hp-ux. And it was inserted into AD from LDAP during "samba classicupgrade".> > uid=10000(rowland) gid=10000(domain users) groups=10000(domain > users),102(netdev),1001(unixtest),10002(unixgroup), > 10010(group12),10024(unix > admins),10004(testgroup),10011(printeradmin),2001( > BUILTIN\users),2000(BUILTIN\administrators) > > My 'idmap config' lines are similar to yours, but, as you can see, the > users 'gid' is 'gid=10000(domain users)', yours is 'gid=20(games)', how > is this possible ? '20' is outside the '100-9999' range. >I forgot we have gid 20 :-(> > Do you have users & groups in AD and in /etc/passwd & /etc/group ? > > What is the OS > What is the Active directory DC ? > >It is linux, samba 4.8.3: [global] netbios name = AD1 realm = UHN.NEMUH.CZ server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate workgroup = NIS idmap_ldb:use rfc2307 = yes [netlogon] path = /usr/local/samba.ad/var/locks/sysvol/uhn.nemuh.cz/scripts read only = No [sysvol] path = /usr/local/samba.ad/var/locks/sysvol read only = No Michal> Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
2018-07-24 23:26 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org>:> On Tue, 24 Jul 2018 22:50:16 +0200 > Michal <Michal67M at seznam.cz> wrote: > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba > > <samba at lists.samba.org>: > > > > > > Do the users have a gidNumber attribute containing the gidNumber of > > > the required group and if so, is the gidNumber inside the range set > > > in smb.conf and is the version of Samba >= 4.6.0 > > > > su - amistest > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4 > > $ id > > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157( > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\ > pacs_diagnostik),10001(BUILTIN\users) > > Your ranges are really wrong, '100-9999' for the 'NIS' (and this is a > stupid name) range, but I think it shows something strange, if I run > 'id rowland' on a Unix domain member, I get: > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain > users),102(netdev),1001(unixtest),10002(unixgroup), > 10010(group12),10024(unix > admins),10004(testgroup),10011(printeradmin),2001( > BUILTIN\users),2000(BUILTIN\administrators) > > My 'idmap config' lines are similar to yours, but, as you can see, the > users 'gid' is 'gid=10000(domain users)', yours is 'gid=20(games)', how > is this possible ? '20' is outside the '100-9999' range. >I believe I can change primary group of all (normal, not admin) users to "domain users" in AD and I can delete group 20, but I would not expect this helps with the problem. Michal> > Do you have users & groups in AD and in /etc/passwd & /etc/group ? > > What is the OS > What is the Active directory DC ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >