L.P.H. van Belle
2018-Sep-05 14:59 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
Hai Marco, If you dont need it, then you can remove it. And in addition to Rowland comment, i'll show how i use it. In reply to.>It is needed? AFAI've understood it means that users will have UNIX primary group the windows group >and not 'domain users', but reeally i don't need that...I'll explain how i use it and why, maybe its useable for you or others. My windows group "Domain User" always the default for the users, it is the default group for every user, except guests. This is the windows default, i did assign GID's to "domain users" "domain admins" < most people dont use this or use with care on the linux side. "domain guest" "domain computer" < most people dont use this or use with care on the linux side. And some other groups i need on linux, only the groups i need (on linux) have GID assigned. And yes, i did need all the "domain ...." groups in linux also.. I needed these. That why domain admins is having a GID. I do want my windows users to login on linux systems and use "Domain Users" as primary group. I use this to overcome some inherit problems. Remember this, and this is the most important part imo. 17XX "Creator Owner" 277X "Creator Group" 377X "Creator Owner and Creator Group" /data root:"Domain Admins" 1755 ( allow everybody in this folder, even guests ) everyone can walk/enter this folder (/data) due to the last 5 in 1775 on linux. /data/dep1 root:"Dep1" 2770 ( allow users/group rights) and if member of "Dep1" only then you can enter and read/write. /data/dep2 root:"Dep2" 2770 ( allow users/group rights) and if member of "Dep2" only then you can enter and read/write. If user1 creates a file in /data/dep1 , it creates it as user1:"Domain User" If user2 creates a file in /data/dep2 , it creates it as user2:"Domain User" But User1 is not able to access /data/dep2 due to the group restriction Dep1. User2 is not able to access /data/dep1 due to the group restriction Dep2. >> The headache points for people. << Now my users switch departments, if wrongly setup, both users and read/write one anothers files. In my case, both users and read/write the created files from one another, no headache ;-) This is a bit how i setup my rights. ( depending on server and use of the server ). And please note, this is only the LINUX PART of the rights. And best is to keep this as much as possible in line. I hope this helps a bit for you and others. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: woensdag 5 september 2018 16:15 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Upgraded a member server to 4.8, rfc2307 data? > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > idmap config LNFFVG: unix_primary_group = yes > > It is needed? AFAI've understood it means that users will > have UNIX primary > group the windows group and not 'domain users', but reeally i > don't need > that... > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà , 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Marco Gaiarin
2018-Sep-06 12:20 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> And in addition to Rowland comment, i'll show how i use it.Thanks. I add a note myself. Only 'non-primary groups' get listed in memberOf/member data in LDAP, so if you need to get 'group membership' for other tools/app/... you 'lost' (apart doing some complex queries...) the default group. I've found web interfaces that are able to do also 'nested group expansions', but (by default) does not lookup primaryGroupID/gidNumber (because, indeed, is a totally different query). So, probably the best thing to do is to keep 'Domain Users' as default group and stop. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Rowland Penny
2018-Sep-06 12:29 UTC
[Samba] Upgraded a member server to 4.8, rfc2307 data?
On Thu, 6 Sep 2018 14:20:42 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > And in addition to Rowland comment, i'll show how i use it. > > Thanks. I add a note myself. > > Only 'non-primary groups' get listed in memberOf/member data in LDAP, > so if you need to get 'group membership' for other tools/app/... you > 'lost' (apart doing some complex queries...) the default group. > > I've found web interfaces that are able to do also 'nested group > expansions', but (by default) does not lookup primaryGroupID/gidNumber > (because, indeed, is a totally different query). > > > So, probably the best thing to do is to keep 'Domain Users' as default > group and stop. >I have never understood why people want different primary groups for Unix users in AD. You can get something similar by denying access to a share from the 'Domain Users' group and allowing access from another group. Rowland