Thanks for your answer. It is clearer now for me.> >> It is probably a bit late to change now, but there is only one way to > >> get the same numeric ID everywhere and that is to use the 'ad' winbind > >> backend.So, on the Linux clients?> > This is why I removed the idmap config entries from the dc3 smb.conf. > > "On a Samba Active Directory DC, Winbindd always reads the user IDs > > (UID) and group IDs (GID) from the values set in the uidNumber and > > gidNumber attributes set in the AD objects. For users and groups not > > having a UID or GID assigned, an ID is generated locally on the DC and > > stored in the /usr/local/samba/private/idmap.ldb file." > > There isn't uidNumber, and gidNumber in my users' objects. > > If you are correct, then the documentation is wrong/outdated. > No there isn't anything really wrong with the documentation, you are > just misunderstanding it, so it sounds like it needs making plainer. > You cannot add the 'idmap config' lines to a smb.conf on a DC, the > id-mapping is done via idmap.ldb, the users & groups are mapped to > xidNumber attributes in there.And is it hidden? I mean, 'samba-tool user show username' don't show that attribute.> If you give normal users & groups a uidNumber or gidNumber, these will > be used instead of the xidNumbers on DCs, you will need to use the > winbind 'ad' backend on Unix domain members to use the uidNumber & > gidNumber attributes.I use rid on fileserver. So, when I get the users' uid and gid on it, and set them as uidNumber and gidNumber on dc3, and I use the net cache flush on dc3, then should I see the same user and group id on dc3 as on fileserver1, for example with getent passwd? I tested it with an existing user. Now, I see the uidNumber, and gidNumber (set by myself) with samba-tool user show user1, but the getent passwd A\\user1 shows the old user, and group id.
On 09/08/2019 09:00, Pisch Tam?s via samba wrote:> Thanks for your answer. It is clearer now for me. > >>>> It is probably a bit late to change now, but there is only one way to >>>> get the same numeric ID everywhere and that is to use the 'ad' winbind >>>> backend. > So, on the Linux clients?Perhaps I should have said 'everywhere on Unix'>> No there isn't anything really wrong with the documentation, you are >> just misunderstanding it, so it sounds like it needs making plainer. >> You cannot add the 'idmap config' lines to a smb.conf on a DC, the >> id-mapping is done via idmap.ldb, the users & groups are mapped to >> xidNumber attributes in there. > And is it hidden? I mean, 'samba-tool user show username' don't show > that attribute.Not hidden as such, it is in a different .ldb file, 'samba-tool user show' displays the users object from 'sam.ldb' and, as I said, id-mapping on a DC is done via 'idmap.ldb', this is where the 'xidNumber' attributes are stored.> >> If you give normal users & groups a uidNumber or gidNumber, these will >> be used instead of the xidNumbers on DCs, you will need to use the >> winbind 'ad' backend on Unix domain members to use the uidNumber & >> gidNumber attributes. > I use rid on fileserver. So, when I get the users' uid and gid on it, > and set them as uidNumber and gidNumber on dc3, and I use the net > cache flush on dc3, then should I see the same user and group id on > dc3 as on fileserver1, for example with getent passwd? > I tested it with an existing user. Now, I see the uidNumber, and > gidNumber (set by myself) with samba-tool user show user1, but the > getent passwd A\\user1 shows the old user, and group id.The DC will automatically use the uidNumber and gidNumber, but to use them on a Unix domain member, you have to follow a few simple rules: You have to use the winbind 'ad' backend You have to give any users you require visible on Unix a uidNumber attribute You have to give 'Domain Users'? a gidNumber attribute. You have to give any group you require to be visible a gidNumber All of these numbers must be inside the DOMAIN range you set in the smb.con on the Unix domain member. Rowland
>You have to give any users you require visible on Unix a uidNumber attributeOk, I can do it with samba-tool user edit...>You have to give 'Domain Users' a gidNumber attribute. >You have to give any group you require to be visible a gidNumberI know that I can set gidNumber when I create a group, but how can I edit the group properties?
On 09/08/2019 10:33, Pisch Tam?s via samba wrote:>> You have to give any users you require visible on Unix a uidNumber attribute > Ok, I can do it with samba-tool user edit... >> You have to give 'Domain Users' a gidNumber attribute. >> You have to give any group you require to be visible a gidNumber > I know that I can set gidNumber when I create a group, but how can I > edit the group properties? >Try the attached script, ( you will need to make it executable), you will need the ldb-tools package installed and it must be run on a Samba AD DC Rowland -------------- next part -------------- #!/bin/bash # ldbaddgidtogroup : adds a gidNumber to a group in AD # Version 1.0 09/08/19 # Copyright (C) 2019 Rowland Penny # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then echo "Usage : $0 <groupname> <gidNumber>" exit 1 fi if [ "$#" -ne 2 ]; then echo "Usage : $0 <groupname> <gidNumber>" exit 1 fi _GROUP="$1" G_GID="$2" P_DIR=$(samba -b | grep 'PRIVATE_DIR' | awk '{print $NF}') SAM="${P_DIR}/sam.ldb" SUFFIX=$(echo "dc=$(hostname -d)" | sed 's/\./,dc=/g') # Find groupname : $_GROUP must exist in AD ! _RESULT=$(ldbsearch -H ${SAM} -b "$SUFFIX" -s sub "(&(objectClass=group)(sAMAccountName=$_GROUP))" "*") # Get Groups DN _ENTRY=$(echo "$_RESULT" | grep "dn: ") if [ -z "$_ENTRY" ]; then echo "Group $_GROUP not found in AD" exit 1 fi # Check for gidNumber : $1 must not have one ! _GID=$(echo "$_RESULT" | grep "gidNumber: " | sed "s|gidNumber: ||") if [ -n "$_GID" ]; then echo "Group $1 already has a gidNumber!" exit 1 fi # Create LDIF tmp_group="$_ENTRY changetype: modify add: gidNumber gidNumber: $G_GID - " # Modify group entry echo "$tmp_group" | ldbmodify -H ${SAM} > /dev/null 2>&1 if [ $? != 0 ]; then echo "Error adding gidNumber to group $1" exit 1 fi unset tmp_group echo "Successfully added gidNumber to group $1" exit 0