Prunk Dump
2019-Aug-19 10:13 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
Le lun. 19 ao?t 2019 ? 11:01, L.P.H. van Belle via samba <samba at lists.samba.org> a ?crit :> > Hai, > > Fist of all, i must say it not very wise to have you NFS server on the AD-DC. > > I do about the same but my NFS server is on a member. > > Have you configured /etc/nsswitch.conf ? > If not do that. > > If you run : id username > I see : uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users) > So my GID and Primary group id are the same. >This is a little bit off-thread but why it is not safe to run an NFSv4 server on a DC ? I know that with a samba file server you have some restrictions like using only encrypted communication. But the NFS services are mostly independent. Is this not safe only because samba cannot give correct uid/gid mapping on DC ? And is this case, is there any plan to make samba usable in this configuration ? The fact that samba as DC cannot be used as file server is a strange limitation no ? In the Windows server you don't have this problem. Is there some plan to make this possible ? I don't understand why this is so complicated. Samba use this winbind "primaryGroupID" gid mapping for the rights on the SYSVOL share ?> > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Prunk Dump via samba > > Verzonden: maandag 19 augustus 2019 10:46 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] winbind on DC : how use gidNumber instead > > of primaryGroupID as user's primary group > > > > Hi Samba Team ! > > > > My Samba AD DC server run an NFSv4 server so I need correct RFC2307 id > > mapping between the server and the clients. > > > > On the client side it's very easy with the new smb.conf options : > > > > idmap config SAMDOM:unix_nss_info = yes > > idmap config SAMDOM:unix_primary_group = yes > > > > But on the server side winbind use the gidNumber of the group > > corresponding to the user's primaryGroupID. Not the gidNumber > > directly. > > > > So all my users have their primary group set to "Domain Users" as I > > have set the "Domain Users" gidNumber as say in the documentation. > > > > How can I change this behavior ? On my NFSv4 shares all the files are > > owned by the "Domain Users" group instead of the correct user primary > > group. > > I dont see any thing in correct here, its just how you use it. > On my NFS the files are also owned by "domain users", exactly as i want. > > If its about rights on files/folders, use the other groups to allow access or deny access > Use "domain users" to allow users to change files. > > Does this help you a bit?You're right. But sometimes I use some special shares where users from multiple groups can create files. And I only want that users from the same group can see the content of the file each other. I use the gid like on a classic Linux station folder.> > > > > Thanks for help ! > > > > Baptiste. > > > > > Greetz, > > Louis > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaLast important thing. I use some script to manage my users from Linux. As I can't use the "id" command to get the user gidNumber on DC : What is the fastest command to get the user gidNumber value on a samba DC ? Thanks again !!! Regards, Baptiste.
Rowland penny
2019-Aug-19 10:36 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
On 19/08/2019 11:13, Prunk Dump via samba wrote:> Le lun. 19 ao?t 2019 ? 11:01, L.P.H. van Belle via samba > <samba at lists.samba.org> a ?crit : > > > This is a little bit off-thread but why it is not safe to run an NFSv4 > server on a DC ? I know that with a samba file server you have some > restrictions like using only encrypted communication. > > But the NFS services are mostly independent. Is this not safe only > because samba cannot give correct uid/gid mapping on DC ? And is this > case, is there any plan to make samba usable in this configuration ?It isn't that it isn't safe, it is that authentication on a DC works differently to a Unix domain member, as you have found.> > The fact that samba as DC cannot be used as file server is a strange > limitation no ? In the Windows server you don't have this problem. Is > there some plan to make this possible ?You can use a DC as a fileserver, you just have to put up with the limitations, one of which is that it works more like a Windows machine when it comes to authentication.> > I don't understand why this is so complicated. Samba use this winbind > "primaryGroupID" gid mapping for the rights on the SYSVOL share ?It isn't complicated, Windows expects every user to be a member of Domain Users, so a Samba AD DC complies with this.> You're right. But sometimes I use some special shares where users from > multiple groups can create files. And I only want that users from the > same group can see the content of the file each other. > > I use the gid like on a classic Linux station folder.If you are going to use a DC as a fileserver, then you cannot do this, use Windows ACLs instead.> Last important thing. I use some script to manage my users from Linux. > As I can't use the "id" command to get the user gidNumber on DC : > > What is the fastest command to get the user gidNumber value on a samba DC ? >Sounds like you haven't set up the libnss-winbind links, but when you do, don't be surprised if you get IDs in the '3000000' range Rowland
Prunk Dump
2019-Aug-20 08:19 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
Le lun. 19 ao?t 2019 ? 12:37, Rowland penny via samba <samba at lists.samba.org> a ?crit :> > On 19/08/2019 11:13, Prunk Dump via samba wrote: > > Last important thing. I use some script to manage my users from Linux. > > As I can't use the "id" command to get the user gidNumber on DC : > > > > What is the fastest command to get the user gidNumber value on a samba DC ? > > > Sounds like you haven't set up the libnss-winbind links, but when you > do, don't be surprised if you get IDs in the '3000000' range > > RowlandSorry I don't formulate my question very well. Libnss-winbind is well configured on my DC. But : On some of my scripts I need to get the users "gidNumber" attribute value. As on DC winbind always give "Domain Users" as gid I can't use the "id" or "wbinfo' command to get the "gidNumber" attribute value. So my question is : Is there a faster equivalent of this command : ldbsearch -H /var/lib/samba/private/sam.ldb -b a_base_dn_that_contain_all_my_users '(cn=myusername)' gidNumber | grep gidNumber | sed 's/gidNumber: //' Is there a samba command to get as fast as possible an user LDAP attribute values ? Regards, Baptiste.
L.P.H. van Belle
2019-Aug-20 09:29 UTC
[Samba] winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Prunk Dump via samba > Verzonden: dinsdag 20 augustus 2019 10:20 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] winbind on DC : how use gidNumber > instead of primaryGroupID as user's primary group > > Le lun. 19 ao?t 2019 ? 12:37, Rowland penny via samba > <samba at lists.samba.org> a ?crit : > > > > On 19/08/2019 11:13, Prunk Dump via samba wrote: > > > Last important thing. I use some script to manage my users from Linux. > > > As I can't use the "id" command to get the user gidNumber on DC :Why not, i see this on my DC's. ( Debian Buster, samba 4.10.6 with AD backends. ) id username ( samba domain user) uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) groups=10000(NTDOM\domain users),3000030(NTDOM\Allow-rdp),3000315(NTDOM\Allow-monitoring),3000009(BUILTIN\users) # change $2 to $3 and get the output of groups. time id username |awk -F"=" '{ print $2 }'|cut -d"(" -f1 10002 real 0m0.051s user 0m0.002s sys 0m0.005s time /usr/bin/id username |/usr/bin/awk -F"=" '{ print $2 }'|/usr/bin/cut -d"(" -f1 10002 real 0m0.050s user 0m0.007s sys 0m0.000s So with or without path does not make much of a difference.. SAMBA_BIN=$(which samba) LDBDB="$(${SAMBA_BIN} -b | grep PRIVATE_DIR |sed 's/\ //g' | awk -F":" {'print $2'})/sam.ldb" DN="$(ldbsearch -H "${LDBDB}" -b "" -s base defaultNamingContext | grep 'defaultNamingContext' | sed 's|defaultNamingContext: ||')" time ldbsearch -H "${LDBDB}" -b "OU=YourUSERS,${DN}" -s sub '(CN=SEARCHSTRING)' gidNumber | grep gidNumber | sed 's/gidNumber: //' 10000 real 0m0.621s user 0m0.599s sys 0m0.023s So i would go for the first as it is at least x10 faster here. Greetz, Louis> > > > > > What is the fastest command to get the user gidNumber > value on a samba DC ? > > > > > Sounds like you haven't set up the libnss-winbind links, > but when you > > do, don't be surprised if you get IDs in the '3000000' range > > > > Rowland > > Sorry I don't formulate my question very well. Libnss-winbind is well > configured on my DC. But : > > On some of my scripts I need to get the users "gidNumber" attribute > value. As on DC winbind always give "Domain Users" as gid I can't use > the "id" or "wbinfo' command to get the "gidNumber" attribute value. > So my question is : Is there a faster equivalent of this command : > > ldbsearch -H /var/lib/samba/private/sam.ldb -b > a_base_dn_that_contain_all_my_users '(cn=myusername)' gidNumber | grep > gidNumber | sed 's/gidNumber: //' > > Is there a samba command to get as fast as possible an user LDAP > attribute values ? > > Regards, > > Baptiste. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Reasonably Related Threads
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group
- winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group