samba - Aug 2019 - winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Prunk Dump via samba
> Verzonden: dinsdag 20 augustus 2019 10:20
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] winbind on DC : how use gidNumber 
> instead of primaryGroupID as user's primary group
> 
> Le lun. 19 ao?t 2019 ? 12:37, Rowland penny via samba
> <samba at lists.samba.org> a ?crit :
> >
> > On 19/08/2019 11:13, Prunk Dump via samba wrote:
> > > Last important thing. I use some script to manage my users from
Linux.
> > > As I can't use the "id" command to get the user
gidNumber on DC :
Why not, i see this on my DC's. ( Debian Buster, samba 4.10.6 with AD
backends. )

id username ( samba domain user)
uid=10002(NTDOM\username) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain
users),3000030(NTDOM\Allow-rdp),3000315(NTDOM\Allow-monitoring),3000009(BUILTIN\users)

# change $2 to $3 and get the output of groups. 
time id username |awk -F"=" '{ print $2 }'|cut -d"("
-f1
10002

real    0m0.051s
user    0m0.002s
sys     0m0.005s

time /usr/bin/id username |/usr/bin/awk -F"=" '{ print $2
}'|/usr/bin/cut -d"(" -f1
10002

real    0m0.050s
user    0m0.007s
sys     0m0.000s
So with or without path does not make much of a difference..  


SAMBA_BIN=$(which samba)
LDBDB="$(${SAMBA_BIN} -b | grep PRIVATE_DIR |sed 's/\ //g' | awk
-F":" {'print $2'})/sam.ldb"
DN="$(ldbsearch -H "${LDBDB}" -b "" -s base
defaultNamingContext | grep 'defaultNamingContext' | sed
's|defaultNamingContext: ||')"

time ldbsearch -H "${LDBDB}" -b "OU=YourUSERS,${DN}" -s sub
'(CN=SEARCHSTRING)' gidNumber | grep gidNumber | sed 's/gidNumber:
//'
10000

real    0m0.621s
user    0m0.599s
sys     0m0.023s

So i would go for the first as it is at least x10 faster here. 


Greetz, 

Louis

> > >
> > > What is the fastest command to get the user gidNumber 
> value on a samba DC ?
> > >
> > Sounds like you haven't set up the libnss-winbind links, 
> but when you
> > do, don't be surprised if you get IDs in the '3000000'
range
> >
> > Rowland
> 
> Sorry I don't formulate my question very well. Libnss-winbind is well
> configured on my DC. But :
> 
> On some of my scripts I need to get the users "gidNumber"
attribute
> value. As on DC winbind always give "Domain Users" as gid I
can't use
> the "id" or "wbinfo' command to get the
"gidNumber" attribute value.
> So my question is : Is there a faster equivalent of this command :
> 
> ldbsearch -H /var/lib/samba/private/sam.ldb -b
> a_base_dn_that_contain_all_my_users '(cn=myusername)' gidNumber |
grep
> gidNumber | sed 's/gidNumber: //'
> 
> Is there a samba command to get as fast as possible an user LDAP
> attribute values ?
> 
> Regards,
> 
> Baptiste.
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 20/08/2019 10:29, L.P.H. van Belle via samba wrote:
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Prunk Dump via samba
>> Verzonden: dinsdag 20 augustus 2019 10:20
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] winbind on DC : how use gidNumber
>> instead of primaryGroupID as user's primary group
>>
>> Le lun. 19 ao?t 2019 ? 12:37, Rowland penny via samba
>> <samba at lists.samba.org> a ?crit :
>>> On 19/08/2019 11:13, Prunk Dump via samba wrote:
>>>> Last important thing. I use some script to manage my users from
Linux.
>>>> As I can't use the "id" command to get the user
gidNumber on DC :
> Why not, i see this on my DC's. ( Debian Buster, samba 4.10.6 with AD
backends. )
>
> id username ( samba domain user)
> uid=10002(NTDOM\username) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain
users),3000030(NTDOM\Allow-rdp),3000315(NTDOM\Allow-monitoring),3000009(BUILTIN\users)
>
The problem with that is, 'id' gets its info from the same place that 
'getent' does, so the OP will still get the wrong group ;-)

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 20 augustus 2019 11:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] winbind on DC : how use gidNumber 
> instead of primaryGroupID as user's primary group
> 
> On 20/08/2019 10:29, L.P.H. van Belle via samba wrote:
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Prunk Dump via samba
> >> Verzonden: dinsdag 20 augustus 2019 10:20
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] winbind on DC : how use gidNumber
> >> instead of primaryGroupID as user's primary group
> >>
> >> Le lun. 19 ao?t 2019 ? 12:37, Rowland penny via samba
> >> <samba at lists.samba.org> a ?crit :
> >>> On 19/08/2019 11:13, Prunk Dump via samba wrote:
> >>>> Last important thing. I use some script to manage my 
> users from Linux.
> >>>> As I can't use the "id" command to get the
user gidNumber on DC :
> > Why not, i see this on my DC's. ( Debian Buster, samba 
> 4.10.6 with AD backends. )
> >
> > id username ( samba domain user)
> > uid=10002(NTDOM\username) gid=10000(NTDOM\domain users) 
> groups=10000(NTDOM\domain 
> users),3000030(NTDOM\Allow-rdp),3000315(NTDOM\Allow-monitoring
> ),3000009(BUILTIN\users)
> >
> The problem with that is, 'id' gets its info from the same place
that
> 'getent' does, so the OP will still get the wrong group ;-)
> 
> Rowland
Maybe i did not understand the question then. 
In: id username |awk -F"=" '{ print $2 }'|cut -d"("
-f1
$2 = GID 
$3 = primary group. 

Ok so above was with a user the does have a UID + GID assigned. 
id username-NOGID |/usr/bin/awk -F"=" '{ print $2
}'|/usr/bin/cut -d"(" -f1
3000165	( is : ,3000165(NTNDOM\username-NOGID)

Ok, so thats wrong..

id username |awk -F"gid=" '{ print $2 }'|cut -d"("
-f1
10000
Which is correct 

I've verified the last line :  id username |awk -F"gid=" '{
print $2 }'|cut -d"(" -f1

With AD user with UID+GID
With AD user without UID+GID
With Linux user 

And they now all show there correct GID. 
Can you verify it? 

Greetz, 

Louis

On 20/08/2019 11:16, L.P.H. van Belle via samba wrote
>> The problem with that is, 'id' gets its info from the same
place that
>> 'getent' does, so the OP will still get the wrong group ;-)
>>
>> Rowland
> Maybe i did not understand the question then.
> In: id username |awk -F"=" '{ print $2 }'|cut
-d"(" -f1
> $2 = GID
> $3 = primary group.
The OP wants something like 'idmap config SAMDOM : unix_primary_group = 
yes' but on a DC.

As the 'idmap config' lines do not work on a DC, I think he has three 
options:

Just make do with 'domain Users'.

Set up a Unix domain member and use that instead.

Use nslcd.

Before anyone says 'what about sssd ?' , when the people who produce it 
say 'do not use sssd with winbind', then you shouldn't use it on a
Samba
AD DC.

Rowland