I'm reading this page on the Samba Wiki: https://wiki.samba.org/index.php/Idmap_config_ad I'm reading the information at the end about gidNumber and primaryGroupID, and everything is making sense. (In fact, I recently implemented code to set a user's gidNumber to the gidNumber of their primary group. I see now that this is the default behavior of Samba (winbind?) and that this was probably unnecessary.) And then I encounter this warning:> Whichever setting you use, do not change the users primaryGroupID attribute, Windows relies on all users being a member of Domain Users. If you require your Unix users to have a primary group other than Domain Users, you should use Samba version 4.6.0 or later.This was added in July 2018: https://wiki.samba.org/index.php?title=Idmap_config_ad&diff=14522&oldid=14505 I found this very surprising and somewhat inconsistent with the rest of the text.> Windows relies on all users being a member of Domain UsersOkay that's fine. But this is a discussion of "Primary Group", not general group membership. AFAIK Windows doesn't care about the Primary group. In fact, the "Member Of" tab in ADUC says:> There is no need to change Primary group unless you have Macintosh clients or POSIX-compliant applications.What is the purpose of this warning? If the whole point was that "Windows relies on all users being a member of Domain Users", then I don't understand why the Wiki is instructing users to not change the Primary group. Thanks, Jonathon
On Wed, 17 Apr 2019 23:55:40 -0400 Jonathon Reinhart via samba <samba at lists.samba.org> wrote:> > Windows relies on all users being a member of Domain Users > > Okay that's fine. But this is a discussion of "Primary Group", not > general group membership. AFAIK Windows doesn't care about the Primary > group. In fact, the "Member Of" tab in ADUC says: > > > There is no need to change Primary group unless you have Macintosh > > clients or POSIX-compliant applications.This shows that you shouldn't change the users primary group.> > What is the purpose of this warning? If the whole point was that > "Windows relies on all users being a member of Domain Users", then I > don't understand why the Wiki is instructing users to not change the > Primary group.It is there because, even though you have realised that changing the contents of 'primaryGroupID' from '513' to the RID of another group is a bad idea, people did! This then upset Windows. The problem is that on Unix, a user normally gets its own private group, but it is easy to change the users primary group. In AD, the users primary group is 'Domain Users' and isn't expected to change, but Unix sysadmins, whilst wanting to use AD, didn't want to comply with this restriction, so 'idmap config DOMAIN : unix_primary_group = yes' was created. There is only one problem with this, it only works if you actually log into the Samba fileserver, over the wire it is still 'Domain Users' Rowland