On 09/08/2019 10:33, Pisch Tam?s via samba wrote:>> You have to give any users you require visible on Unix a uidNumber attribute > Ok, I can do it with samba-tool user edit... >> You have to give 'Domain Users' a gidNumber attribute. >> You have to give any group you require to be visible a gidNumber > I know that I can set gidNumber when I create a group, but how can I > edit the group properties? >Try the attached script, ( you will need to make it executable), you will need the ldb-tools package installed and it must be run on a Samba AD DC Rowland -------------- next part -------------- #!/bin/bash # ldbaddgidtogroup : adds a gidNumber to a group in AD # Version 1.0 09/08/19 # Copyright (C) 2019 Rowland Penny # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. if [ -z "$1" ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then echo "Usage : $0 <groupname> <gidNumber>" exit 1 fi if [ "$#" -ne 2 ]; then echo "Usage : $0 <groupname> <gidNumber>" exit 1 fi _GROUP="$1" G_GID="$2" P_DIR=$(samba -b | grep 'PRIVATE_DIR' | awk '{print $NF}') SAM="${P_DIR}/sam.ldb" SUFFIX=$(echo "dc=$(hostname -d)" | sed 's/\./,dc=/g') # Find groupname : $_GROUP must exist in AD ! _RESULT=$(ldbsearch -H ${SAM} -b "$SUFFIX" -s sub "(&(objectClass=group)(sAMAccountName=$_GROUP))" "*") # Get Groups DN _ENTRY=$(echo "$_RESULT" | grep "dn: ") if [ -z "$_ENTRY" ]; then echo "Group $_GROUP not found in AD" exit 1 fi # Check for gidNumber : $1 must not have one ! _GID=$(echo "$_RESULT" | grep "gidNumber: " | sed "s|gidNumber: ||") if [ -n "$_GID" ]; then echo "Group $1 already has a gidNumber!" exit 1 fi # Create LDIF tmp_group="$_ENTRY changetype: modify add: gidNumber gidNumber: $G_GID - " # Modify group entry echo "$tmp_group" | ldbmodify -H ${SAM} > /dev/null 2>&1 if [ $? != 0 ]; then echo "Error adding gidNumber to group $1" exit 1 fi unset tmp_group echo "Successfully added gidNumber to group $1" exit 0
Am 09.08.19 um 12:49 schrieb Rowland penny via samba:> On 09/08/2019 10:33, Pisch Tam?s via samba wrote: >>> You have to give any users you require visible on Unix a uidNumber >>> attribute >> Ok, I can do it with samba-tool user edit...I think my rsnapshot-issue corresponds with this thread as well. wbinfo -i userXY shows different uids on the DC and the DM. Therefore the rsynced files belonging to uid-of-user-on-DM are shown as plain uid-number on the DC and can't be accessed correctly. Seems I need to add a uid as well. sorry if I hijacked here, just adding my current view ...
On 09/08/2019 18:13, Stefan G. Weichinger via samba wrote:> Am 09.08.19 um 12:49 schrieb Rowland penny via samba: >> On 09/08/2019 10:33, Pisch Tam?s via samba wrote: >>>> You have to give any users you require visible on Unix a uidNumber >>>> attribute >>> Ok, I can do it with samba-tool user edit... > I think my rsnapshot-issue corresponds with this thread as well. > > wbinfo -i userXY shows different uids on the DC and the DM. > > Therefore the rsynced files belonging to uid-of-user-on-DM are shown as > plain uid-number on the DC and can't be accessed correctly. > > Seems I need to add a uid as well. > > sorry if I hijacked here, just adding my current view ... > >Ah, so you are backing up something from a DC to a Unix domain member, then you may have problems. There are three main methods of setting IDs: On a DC, by default, idmap.ldb is used, this stores the IDs in xidNumber attributes and the range starts at '3000000', these numbers are only used on a Samba AD DC. For Unix domain members, there are the 'rid'? and 'ad' winbind backends, the 'rid' backend calculates the ID from the RID and the low DOMAIN range set in smb.conf, so if the low range is '10000' and the first RID is '1000' the first user ID will be '11000' The 'ad' backend uses the uidNumber & gidNumber attibutes from AD, as long as they are inside the DOMAIN range set in smb.conf. The only way to get the same? IDs everywhere on Unix is to use the uidNumber? & gidNumber attributes, they will override the xidNumbers on a DC, but you will have to use the 'ad' backend. If you use the 'rid' backend, you can get the same IDs on Unix domain members, but only if you use the same 'idmap config' lines on all Unix domain members, however you will still have different IDs on the DC's. A different way around this would be to backup to a directory and then tar the directory into a file. Rowland
Le 09/08/2019 ? 12:49, Rowland penny via samba a ?crit?:> On 09/08/2019 10:33, Pisch Tam?s via samba wrote: >> I know that I can set gidNumber when I create a group, but how can I >> edit the group properties? >> > Try the attached script, ( you will need to make it executable), you > will need the ldb-tools package installed and it must be run on a Samba > AD DC >Thanks for this script! This would be great if we could do that with samba-tool, but it is another story. Just a detail: you could print error messages to stderr instead of stdout. Regards, Yvan
> >> You have to give any users you require visible on Unix a uidNumber attribute > > Ok, I can do it with samba-tool user edit... > >> You have to give 'Domain Users' a gidNumber attribute. > >> You have to give any group you require to be visible a gidNumber > > I know that I can set gidNumber when I create a group, but how can I > > edit the group properties? > > > Try the attached script, ( you will need to make it executable), you > will need the ldb-tools package installed and it must be run on a Samba > AD DCThank you very much for the script!> Current plan : add a third DC, make dc2 a dm file server. Best solutionimo. Yes, I know that it would be better to use a separate dc, but I didn't want it on that site.
On 12/08/2019 07:13, Pisch Tam?s wrote:>> Current plan : add a third DC, make dc2 a dm file server. Best solution > imo. > Yes, I know that it would be better to use a separate dc, but I didn't > want it on that site.Hi Pisch, that wasn't aimed at you, but it does show why you should never hijack an existing thread, my fault for not forking it off into a new thread, sorry ;-) Rowland
> >> Current plan : add a third DC, make dc2 a dm file server. Best solution > > imo. > > Yes, I know that it would be better to use a separate dc, but I didn't > > want it on that site. > Hi Pisch, that wasn't aimed at you, but it does show why you should > never hijack an existing thread, my fault for not forking it off into a > new thread, sorry ;-)No problem :) Pisch Tam?s <pischta at gmail.com> ezt ?rta (id?pont: 2019. aug. 12., H, 8:13):> > > >> You have to give any users you require visible on Unix a uidNumber attribute > > > Ok, I can do it with samba-tool user edit... > > >> You have to give 'Domain Users' a gidNumber attribute. > > >> You have to give any group you require to be visible a gidNumber > > > I know that I can set gidNumber when I create a group, but how can I > > > edit the group properties? > > > > > Try the attached script, ( you will need to make it executable), you > > will need the ldb-tools package installed and it must be run on a Samba > > AD DC > > Thank you very much for the script! > > > Current plan : add a third DC, make dc2 a dm file server. Best solution > imo. > Yes, I know that it would be better to use a separate dc, but I didn't > want it on that site.