samba - Jul 2018 - Fwd: Force set group id on samba domain member

On Wed, 25 Jul 2018 23:25:05 +0200
Michal <Michal67M at seznam.cz> wrote:
 
> I do not know If I get what you mean..
> 
> # su - amistest
> Last login: Tue Jul 24 22:48:18 CEST 2018 on pts/4
> -bash-4.2$ id
> uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain
>
users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\pacs_diagnostik),10001(BUILTIN\users)
> 
> It is "gid=20(games)", not  "gid=20(NIS\games)". gid 20
games comes
> from OS local /etc/group. It seems to me to be exactly what I would
> expected. Winbind did not do domain name translation of group 20,
> because it is not within domain range, thats ok, isn't it?
> 
What I am trying to get at is, the users primary group should come from
AD, yours appears to be coming from /etc/group, this is what I do not
understand.

Rowland

On Thu, 26 Jul 2018 08:16:10 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 25 Jul 2018 23:25:05 +0200
> Michal <Michal67M at seznam.cz> wrote:
>  
> > I do not know If I get what you mean..
> > 
> > # su - amistest
> > Last login: Tue Jul 24 22:48:18 CEST 2018 on pts/4
> > -bash-4.2$ id
> > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain
> >
users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\pacs_diagnostik),10001(BUILTIN\users)
> > 
> > It is "gid=20(games)", not  "gid=20(NIS\games)".
gid 20 games comes
> > from OS local /etc/group. It seems to me to be exactly what I would
> > expected. Winbind did not do domain name translation of group 20,
> > because it is not within domain range, thats ok, isn't it?
> > 
> 
> What I am trying to get at is, the users primary group should come
> from AD, yours appears to be coming from /etc/group, this is what I
> do not understand.
> 
> Rowland
> 
Just had a thought, what is in '/usr/local/bin/RPE4' ?
Perhaps this has a bearing on the problem, can I have a copy ?
If so, send it to me direct (not to the list)

Rowland

2018-07-26 9:16 GMT+02:00 Rowland Penny via samba <samba at
lists.samba.org>:
> On Wed, 25 Jul 2018 23:25:05 +0200
> Michal <Michal67M at seznam.cz> wrote:
>
> > I do not know If I get what you mean..
> >
> > # su - amistest
> > Last login: Tue Jul 24 22:48:18 CEST 2018 on pts/4
> > -bash-4.2$ id
> > uid=6603(NIS\amistest) gid=20(games) groups=20(games),513(NIS\domain
> > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> pacs_diagnostik),10001(BUILTIN\users)
> >
> > It is "gid=20(games)", not  "gid=20(NIS\games)".
gid 20 games comes
> > from OS local /etc/group. It seems to me to be exactly what I would
> > expected. Winbind did not do domain name translation of group 20,
> > because it is not within domain range, thats ok, isn't it?
> >
>
> What I am trying to get at is, the users primary group should come from
> AD, yours appears to be coming from /etc/group, this is what I do not
> understand.
>
>
I think it works this way:
Primary group of users on hp-ux is "users", with gidnumber 20.  Users
in
LDAP NT4 domain were/are being created with hp-ux unix attributes. This
number 20 is users' primary group id in our LDAP with "users-nis"
group
name (yes, I know, it's a stupid name). This was inserted into AD via
classicupgrade. Common users in AD have UNIX primary group attribute id=20,
what is displayed as "users-nis" in eg RSAT GUI in domain users.
The gid number 20 is gotten from AD on Linux DM, but because 20 is out of
range for domain, nslookup (or whatever it is) displays group name from
local /etc/group, which is "games".

Michal


> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, 26 Jul 2018 10:49:17 +0200
Michal <Michal67M at seznam.cz> wrote:
> 2018-07-26 9:16 GMT+02:00 Rowland Penny via samba
> <samba at lists.samba.org>:
> 
> > On Wed, 25 Jul 2018 23:25:05 +0200
> > Michal <Michal67M at seznam.cz> wrote:
> >
> > > I do not know If I get what you mean..
> > >
> > > # su - amistest
> > > Last login: Tue Jul 24 22:48:18 CEST 2018 on pts/4
> > > -bash-4.2$ id
> > > uid=6603(NIS\amistest) gid=20(games)
> > > groups=20(games),513(NIS\domain
> > > users),2108(NIS\evis),2109(NIS\slp),2126(NIS\poj),2157(
> > NIS\audio),2164(NIS\doprava),2181(NIS\tomocon),2186(NIS\
> > pacs_diagnostik),10001(BUILTIN\users)
> > >
> > > It is "gid=20(games)", not 
"gid=20(NIS\games)". gid 20 games
> > > comes from OS local /etc/group. It seems to me to be exactly what
> > > I would expected. Winbind did not do domain name translation of
> > > group 20, because it is not within domain range, thats ok,
isn't
> > > it?
> > >
> >
> > What I am trying to get at is, the users primary group should come
> > from AD, yours appears to be coming from /etc/group, this is what I
> > do not understand.
> >
> >
> I think it works this way:
> Primary group of users on hp-ux is "users", with gidnumber 20. 
Users
> in LDAP NT4 domain were/are being created with hp-ux unix attributes.
> This number 20 is users' primary group id in our LDAP with
> "users-nis" group name (yes, I know, it's a stupid name).
This was
> inserted into AD via classicupgrade. Common users in AD have UNIX
> primary group attribute id=20,
Are you saying that your AD users primaryGroupID attribute has been
changed to '20' from '513'
> what is displayed as "users-nis" in eg
> RSAT GUI in domain users. The gid number 20 is gotten from AD on
> Linux DM, but because 20 is out of range for domain, nslookup (or
> whatever it is) displays group name from local /etc/group, which is
> "games".
It sounds like it has been.

Rowland