samba - Jul 2018 - Force set group id on samba domain member

2018-07-24 23:26 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Tue, 24 Jul 2018 22:50:16 +0200
> Michal <Michal67M at seznam.cz> wrote:
>
> > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> > >
> > > Do the users have a gidNumber attribute containing the gidNumber
of
> > > the required group and if so, is the gidNumber inside the range
set
> > > in smb.conf and is the version of Samba >= 4.6.0
> >
> > su - amistest
> > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > $ id
> > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain
> > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> pacs_diagnostik),10001(BUILTIN\users)
>
> Your ranges are really wrong, '100-9999' for the 'NIS' (and
this is a
> stupid name) range, but I think it shows something strange, if I run
> 'id rowland' on a Unix domain member, I get:
>
> uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> users),102(netdev),1001(unixtest),10002(unixgroup),
> 10010(group12),10024(unix
> admins),10004(testgroup),10011(printeradmin),2001(
> BUILTIN\users),2000(BUILTIN\administrators)
>
> My 'idmap config' lines are similar to yours, but, as you can see,
the
> users 'gid' is 'gid=10000(domain users)', yours is
'gid=20(games)', how
> is this possible ? '20' is outside the '100-9999' range.
>
I believe I can change primary group of all (normal, not admin) users to
"domain users" in AD and I can delete group 20, but I would not expect
this
helps with the problem.

Michal


>
> Do you have users & groups in AD and in /etc/passwd & /etc/group ?
>
> What is the OS
> What is the Active directory DC ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, 25 Jul 2018 07:09:39 +0200
Michal <Michal67M at seznam.cz> wrote:
> 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Tue, 24 Jul 2018 22:50:16 +0200
> > Michal <Michal67M at seznam.cz> wrote:
> >
> > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > > <samba at lists.samba.org>:
> > > >
> > > > Do the users have a gidNumber attribute containing the
> > > > gidNumber of the required group and if so, is the gidNumber
> > > > inside the range set in smb.conf and is the version of Samba
>> > > > 4.6.0
> > >
> > > su - amistest
> > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > > $ id
> > > uid=6603(NIS\amistest) gid=20(games)
> > > groups=20(games),513(NIS\domain
> > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > pacs_diagnostik),10001(BUILTIN\users)
> >
> > Your ranges are really wrong, '100-9999' for the 'NIS'
(and this is
> > a stupid name) range, but I think it shows something strange, if I
> > run 'id rowland' on a Unix domain member, I get:
> >
> > uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> > users),102(netdev),1001(unixtest),10002(unixgroup),
> > 10010(group12),10024(unix
> > admins),10004(testgroup),10011(printeradmin),2001(
> > BUILTIN\users),2000(BUILTIN\administrators)
> >
> > My 'idmap config' lines are similar to yours, but, as you can
see,
> > the users 'gid' is 'gid=10000(domain users)', yours is
> > 'gid=20(games)', how is this possible ? '20' is
outside the
> > '100-9999' range.
> >
> 
> I believe I can change primary group of all (normal, not admin) users
> to "domain users" in AD and I can delete group 20, but I would
not
> expect this helps with the problem.
> 
> Michal
> 
> 
> 
> >
> > Do you have users & groups in AD and in /etc/passwd &
/etc/group ?
You have never answered the above question and until you do, I cannot
offer further help.

Rowland

2018-07-25 18:47 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 25 Jul 2018 07:09:39 +0200
> Michal <Michal67M at seznam.cz> wrote:
>
> > 2018-07-24 23:26 GMT+02:00 Rowland Penny via samba
> > <samba at lists.samba.org>:
> >
> > > On Tue, 24 Jul 2018 22:50:16 +0200
> > > Michal <Michal67M at seznam.cz> wrote:
> > >
> > > > 2018-07-24 16:53 GMT+02:00 Rowland Penny via samba
> > > > <samba at lists.samba.org>:
> > > > >
> > > > > Do the users have a gidNumber attribute containing the
> > > > > gidNumber of the required group and if so, is the
gidNumber
> > > > > inside the range set in smb.conf and is the version of
Samba >> > > > > 4.6.0
> > > >
> > > > su - amistest
> > > > Last login: Tue Jul 24 22:37:47 CEST 2018 on pts/4
> > > > $ id
> > > > uid=6603(NIS\amistest) gid=20(games)
> > > > groups=20(games),513(NIS\domain
> > > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > > pacs_diagnostik),10001(BUILTIN\users)
> > >
> > > Your ranges are really wrong, '100-9999' for the
'NIS' (and this is
> > > a stupid name) range, but I think it shows something strange, if
I
> > > run 'id rowland' on a Unix domain member, I get:
> > >
> > > uid=10000(rowland) gid=10000(domain users) groups=10000(domain
> > > users),102(netdev),1001(unixtest),10002(unixgroup),
> > > 10010(group12),10024(unix
> > > admins),10004(testgroup),10011(printeradmin),2001(
> > > BUILTIN\users),2000(BUILTIN\administrators)
> > >
> > > My 'idmap config' lines are similar to yours, but, as you
can see,
> > > the users 'gid' is 'gid=10000(domain users)',
yours is
> > > 'gid=20(games)', how is this possible ? '20' is
outside the
> > > '100-9999' range.
> > >
> >
> > I believe I can change primary group of all (normal, not admin) users
> > to "domain users" in AD and I can delete group 20, but I
would not
> > expect this helps with the problem.
> >
> > Michal
> >
> >
> >
> > >
> > > Do you have users & groups in AD and in /etc/passwd &
/etc/group ?
>
> You have never answered the above question and until you do, I cannot
> offer further help.
>
>
Well I do not understand the question.. Of course I have users and groups
both in AD and in system files... There are OS specific users and groups in
the system files  and  there are AD users and groups in AD.  AD users and
groups are not in the system files.

Michal


> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>