samba - Aug 2019 - winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
<samba at lists.samba.org> a ?crit :
>
> Hai,
>
> >
> > In short. My network design previously work with Debian Stretch
> > Servers and clients and some Windows clients (not many).
> >
> > Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
> > option for the clients. So I have to use the "dirty" tweak
of
> > modifying all my users "primaryGroupID" to the corresponding
> > "gidNumber". Every things works well with my NFSv4 shares
and Samba
> > shares. I did not notice somethings wrong neither in Linux or Windows
> > client.
> ? Uhm, samba-tool does have the option to add uid/gids.
>
> I can recall our conversation years ago for jessi with nfsv4.
> These days setting up nfsv4 is easy.
> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
> *example, ssh SSO logins and automounted krb5p and protected homedirs,
which even root can not enter.
> I'll work this out in the howto's im updating/writing atm for
Debian Buster.
> This might take some time, because it will be the full setup of how im
running things.
> .. I might speed up a bit because i noticed the samba wiki is really
improved a lot,
> so i migh "borrow" some parts ;-).
>
> It might help, if you can explain exactly how you nfsv4 is setup now.
>
> >
> > Now my network design will be upgraded to Debian Buster. I was happy
> > to see the apparition of the "unix_primary_group" option. I
think at
> > start that this will help me ovoiding the dirty trick.
> >
> I still dont understand what your exactly doing and what was not working..
> (sorry)
>
> >
> > But on the Buster Samba DC this option does not exist and more, now
> > Samba DC refuse to check the "primaryGroupID" value. My
dirty trick
> > does not works anymore. So il need to convert all my scripts to obtain
> > the gidNumber.
> >
> > Here what id give on DC :
> > # id testteacher6
> > uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)
groups=5200001(FICHLAN\domain
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> >
> > Surprisingly it seems that winbind_nss put the group corresponding to
> > the gidNumber just after the "Domain Users" group on the
"id" comment.
> > But I'm not sure this behavior is reliable. So may the Louis
tricks
> > can work ...
> >
> Hmm, so, i've tested a bit more, because if Rowland says something i
pay extra attention ;-).
>
> I create a new user with ADUC. Note, i use Win7, so i have the Unix tab.
;-)
>
> - clean windows AD users.
> id testuser
> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
groups=10000(BAZRTD\domain
users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
>
> net cache flush
>
> - Assigned a UID + Primary Group, shell.   ( testing Primary group :
testgroup )
> id testuser
> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
> ? no primary group/GID as i did set.
>
> net cache flush
>
> - Going to Tab :  Member of group.
> Added group testgroup
> Selected it, and clicked on "Set Primary Group"
> id testuser
> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> ? no primary group/GID as i did set.
>
> - going back to unix tab
> Now here, i also selected the "primary Group", but now same as
above. ( testgroup )
> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> and again, no primary group.
>
> So my conclusion.
> View point, from Linux CLI.
> The view point from windows GUI might differ, i did not test that.
>
>
> Its always :
> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i notice
with these checks.
>
> !! DC !!
> On the DC, a primay group is not respected as it should.
> And primariy group is always "domain users"
>
>
> !! MEMBER !!
> On the members, keeping the settings as it was, and working back to no
uid/gid
>
> id testuser
> uid=10128(testuser) gid=10011(testgroup)
groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> Correct
>
> - going back to unix tab, selected "domain users"
> id testuser
> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
users),10011(testgroup),2001(BUILTIN\users)
> # unix primary is set to "domain users" and the Windows primary
group is set to testgroup.
>
>
> Switching UNIX primary group and windows primary group.
> # unix primary is set to testgroup and the Windows primary group is set to
"domain users"
> id testuser
> uid=10128(testuser) gid=10011(testgroup)
groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> Correct
>
> All set to "domain users"
> id testuser
> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
users),10011(testgroup),2001(BUILTIN\users)
> Correct
>
> Remove the Unix attributed
> id testuser
> id: ?testuser?: no such user
>
> I hope it can help you.
>
>
>
> Greetz,
>
> Louis
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Thank you very much Louis for your help !!!

You have got exactly the same conclusion than me. On DC it's not
possible to make winbind return the gid I want. And on members
everything is coherent. (Note that the group corresponding to gid on
DC seems to be always the first group displayed after Domain Users).

And these uid/gid are used by the nfsv4 server to manage files. So if
my nfsv4 server is on a DC :
-> When on the member my testuser (uid=testuser, gid=teachers) create
a file on the nfsv4 share
-> The DC translate the user uid/gid and create a file owner by
"testuser:domain users"
-> If I check the file uid/gid from member I see "uid=testuser,
gid=domain user"

So the "problem" is that, with the nfsv4 server on DC, when my users
create files with uid=A/gid=B, the file is created with
uid=A,gid=Domain Users.

For years I found problematic this limitation about serve files on DC.
How do to design your network Louis to get a member file server ?
-> You use virtualization ?
-> You use LXC ?
-> You use two physical servers ?

How OP do in general here ? Is there some tutorial about LXC setup for
samba around here ? I have only one physical server....

@Louis :
It's seems that we are working you and me on network design for
school/enterprise no ? If you are interested I try to publish my work
now :
https://github.com/prunkdump/sclustered

Maybe we can works together or exchange some part of our design. If
you have a virtual machine emulator you can get my setup running in
less than 30 minutes (I use puppet for configuration). If you want
some info contact me by email.

Regards,

Baptiste.

On 21/08/2019 09:04, Prunk Dump via samba wrote:
> Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
> <samba at lists.samba.org> a ?crit :
>> Hai,
>>
>>> In short. My network design previously work with Debian Stretch
>>> Servers and clients and some Windows clients (not many).
>>>
>>> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
>>> option for the clients. So I have to use the "dirty"
tweak of
>>> modifying all my users "primaryGroupID" to the
corresponding
>>> "gidNumber". Every things works well with my NFSv4 shares
and Samba
>>> shares. I did not notice somethings wrong neither in Linux or
Windows
>>> client.
>> ? Uhm, samba-tool does have the option to add uid/gids.
>>
>> I can recall our conversation years ago for jessi with nfsv4.
>> These days setting up nfsv4 is easy.
>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
>> *example, ssh SSO logins and automounted krb5p and protected homedirs,
which even root can not enter.
>> I'll work this out in the howto's im updating/writing atm for
Debian Buster.
>> This might take some time, because it will be the full setup of how im
running things.
>> .. I might speed up a bit because i noticed the samba wiki is really
improved a lot,
>> so i migh "borrow" some parts ;-).
>>
>> It might help, if you can explain exactly how you nfsv4 is setup now.
>>
>>> Now my network design will be upgraded to Debian Buster. I was
happy
>>> to see the apparition of the "unix_primary_group" option.
I think at
>>> start that this will help me ovoiding the dirty trick.
>>>
>> I still dont understand what your exactly doing and what was not
working..
>> (sorry)
>>
>>> But on the Buster Samba DC this option does not exist and more, now
>>> Samba DC refuse to check the "primaryGroupID" value. My
dirty trick
>>> does not works anymore. So il need to convert all my scripts to
obtain
>>> the gidNumber.
>>>
>>> Here what id give on DC :
>>> # id testteacher6
>>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)
groups=5200001(FICHLAN\domain
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
>>>
>>> Surprisingly it seems that winbind_nss put the group corresponding
to
>>> the gidNumber just after the "Domain Users" group on the
"id" comment.
>>> But I'm not sure this behavior is reliable. So may the Louis
tricks
>>> can work ...
>>>
>> Hmm, so, i've tested a bit more, because if Rowland says something
i pay extra attention ;-).
>>
>> I create a new user with ADUC. Note, i use Win7, so i have the Unix
tab. ;-)
>>
>> - clean windows AD users.
>> id testuser
>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
groups=10000(BAZRTD\domain
users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
>>
>> net cache flush
>>
>> - Assigned a UID + Primary Group, shell.   ( testing Primary group :
testgroup )
>> id testuser
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
>> ? no primary group/GID as i did set.
>>
>> net cache flush
>>
>> - Going to Tab :  Member of group.
>> Added group testgroup
>> Selected it, and clicked on "Set Primary Group"
>> id testuser
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>> ? no primary group/GID as i did set.
>>
>> - going back to unix tab
>> Now here, i also selected the "primary Group", but now same
as above. ( testgroup )
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>> and again, no primary group.
>>
>> So my conclusion.
>> View point, from Linux CLI.
>> The view point from windows GUI might differ, i did not test that.
>>
>>
>> Its always :
>> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i
notice with these checks.
>>
>> !! DC !!
>> On the DC, a primay group is not respected as it should.
>> And primariy group is always "domain users"
>>
>>
>> !! MEMBER !!
>> On the members, keeping the settings as it was, and working back to no
uid/gid
>>
>> id testuser
>> uid=10128(testuser) gid=10011(testgroup)
groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>> Correct
>>
>> - going back to unix tab, selected "domain users"
>> id testuser
>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
users),10011(testgroup),2001(BUILTIN\users)
>> # unix primary is set to "domain users" and the Windows
primary group is set to testgroup.
>>
>>
>> Switching UNIX primary group and windows primary group.
>> # unix primary is set to testgroup and the Windows primary group is set
to "domain users"
>> id testuser
>> uid=10128(testuser) gid=10011(testgroup)
groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>> Correct
>>
>> All set to "domain users"
>> id testuser
>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
users),10011(testgroup),2001(BUILTIN\users)
>> Correct
>>
>> Remove the Unix attributed
>> id testuser
>> id: ?testuser?: no such user
>>
>> I hope it can help you.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> Thank you very much Louis for your help !!!
>
> You have got exactly the same conclusion than me. On DC it's not
> possible to make winbind return the gid I want. And on members
> everything is coherent. (Note that the group corresponding to gid on
> DC seems to be always the first group displayed after Domain Users).
>
> And these uid/gid are used by the nfsv4 server to manage files. So if
> my nfsv4 server is on a DC :
> -> When on the member my testuser (uid=testuser, gid=teachers) create
> a file on the nfsv4 share
> -> The DC translate the user uid/gid and create a file owner by
> "testuser:domain users"
> -> If I check the file uid/gid from member I see "uid=testuser,
gid=domain user"
>
> So the "problem" is that, with the nfsv4 server on DC, when my
users
> create files with uid=A/gid=B, the file is created with
> uid=A,gid=Domain Users.
>
> For years I found problematic this limitation about serve files on DC.
> How do to design your network Louis to get a member file server ?
> -> You use virtualization ?
> -> You use LXC ?
> -> You use two physical servers ?
>
> How OP do in general here ? Is there some tutorial about LXC setup for
> samba around here ? I have only one physical server....
>
> @Louis :
> It's seems that we are working you and me on network design for
> school/enterprise no ? If you are interested I try to publish my work
> now :
> https://github.com/prunkdump/sclustered
>
> Maybe we can works together or exchange some part of our design. If
> you have a virtual machine emulator you can get my setup running in
> less than 30 minutes (I use puppet for configuration). If you want
> some info contact me by email.
>
> Regards,
>
> Baptiste.
>
Hi Baptiste, I have had a look at your github page and it looks 
promising ;-)

I had a more in depth look at 's4useradd' and where you have:

# create the user #
samba-tool user create $userName --userou=$userClassDN --random-password \
.....................................
...............................
.................

# set passwd #
samba-tool user setpassword $userName --newpassword=$userPasswd

This would work just as well:

# create the user #
samba-tool user create $userName $userPasswd --userou=$userClassDN \
.....................................
...............................
.................

Just one call to samba-tool ;-)

Also, do really want your all your users passwords to never expire ?

Rowland

On 21/08/2019 09:04, Prunk Dump via samba wrote:
> Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
> <samba at lists.samba.org> a ?crit :
>> Hai,
>>
>>> In short. My network design previously work with Debian Stretch
>>> Servers and clients and some Windows clients (not many).
>>>
>>> Debian Stretch use Samba 4.5.16 so there is no unix_primary_group
>>> option for the clients. So I have to use the "dirty"
tweak of
>>> modifying all my users "primaryGroupID" to the
corresponding
>>> "gidNumber". Every things works well with my NFSv4 shares
and Samba
>>> shares. I did not notice somethings wrong neither in Linux or
Windows
>>> client.
>> ? Uhm, samba-tool does have the option to add uid/gids.
>>
>> I can recall our conversation years ago for jessi with nfsv4.
>> These days setting up nfsv4 is easy.
>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
>> *example, ssh SSO logins and automounted krb5p and protected homedirs,
which even root can not enter.
>> I'll work this out in the howto's im updating/writing atm for
Debian Buster.
>> This might take some time, because it will be the full setup of how im
running things.
>> .. I might speed up a bit because i noticed the samba wiki is really
improved a lot,
>> so i migh "borrow" some parts ;-).
>>
>> It might help, if you can explain exactly how you nfsv4 is setup now.
>>
>>> Now my network design will be upgraded to Debian Buster. I was
happy
>>> to see the apparition of the "unix_primary_group" option.
I think at
>>> start that this will help me ovoiding the dirty trick.
>>>
>> I still dont understand what your exactly doing and what was not
working..
>> (sorry)
>>
>>> But on the Buster Samba DC this option does not exist and more, now
>>> Samba DC refuse to check the "primaryGroupID" value. My
dirty trick
>>> does not works anymore. So il need to convert all my scripts to
obtain
>>> the gidNumber.
>>>
>>> Here what id give on DC :
>>> # id testteacher6
>>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain users)
groups=5200001(FICHLAN\domain
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
>>>
>>> Surprisingly it seems that winbind_nss put the group corresponding
to
>>> the gidNumber just after the "Domain Users" group on the
"id" comment.
>>> But I'm not sure this behavior is reliable. So may the Louis
tricks
>>> can work ...
>>>
>> Hmm, so, i've tested a bit more, because if Rowland says something
i pay extra attention ;-).
>>
>> I create a new user with ADUC. Note, i use Win7, so i have the Unix
tab. ;-)
>>
>> - clean windows AD users.
>> id testuser
>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
groups=10000(BAZRTD\domain
users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
>>
>> net cache flush
>>
>> - Assigned a UID + Primary Group, shell.   ( testing Primary group :
testgroup )
>> id testuser
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
>> ? no primary group/GID as i did set.
>>
>> net cache flush
>>
>> - Going to Tab :  Member of group.
>> Added group testgroup
>> Selected it, and clicked on "Set Primary Group"
>> id testuser
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>> ? no primary group/GID as i did set.
>>
>> - going back to unix tab
>> Now here, i also selected the "primary Group", but now same
as above. ( testgroup )
>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
groups=10000(NTDOM\domain users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>> and again, no primary group.
>>
>> So my conclusion.
>> View point, from Linux CLI.
>> The view point from windows GUI might differ, i did not test that.
>>
>>
>> Its always :
>> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far i
notice with these checks.
>>
>> !! DC !!
>> On the DC, a primay group is not respected as it should.
>> And primariy group is always "domain users"
>>
>>
>> !! MEMBER !!
>> On the members, keeping the settings as it was, and working back to no
uid/gid
>>
>> id testuser
>> uid=10128(testuser) gid=10011(testgroup)
groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>> Correct
>>
>> - going back to unix tab, selected "domain users"
>> id testuser
>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
users),10011(testgroup),2001(BUILTIN\users)
>> # unix primary is set to "domain users" and the Windows
primary group is set to testgroup.
>>
>>
>> Switching UNIX primary group and windows primary group.
>> # unix primary is set to testgroup and the Windows primary group is set
to "domain users"
>> id testuser
>> uid=10128(testuser) gid=10011(testgroup)
groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>> Correct
>>
>> All set to "domain users"
>> id testuser
>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
users),10011(testgroup),2001(BUILTIN\users)
>> Correct
>>
>> Remove the Unix attributed
>> id testuser
>> id: ?testuser?: no such user
>>
>> I hope it can help you.
>>
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> Thank you very much Louis for your help !!!
>
> You have got exactly the same conclusion than me. On DC it's not
> possible to make winbind return the gid I want. And on members
> everything is coherent. (Note that the group corresponding to gid on
> DC seems to be always the first group displayed after Domain Users).
>
> And these uid/gid are used by the nfsv4 server to manage files. So if
> my nfsv4 server is on a DC :
> -> When on the member my testuser (uid=testuser, gid=teachers) create
> a file on the nfsv4 share
> -> The DC translate the user uid/gid and create a file owner by
> "testuser:domain users"
> -> If I check the file uid/gid from member I see "uid=testuser,
gid=domain user"
>
> So the "problem" is that, with the nfsv4 server on DC, when my
users
> create files with uid=A/gid=B, the file is created with
> uid=A,gid=Domain Users.
>
> For years I found problematic this limitation about serve files on DC.
> How do to design your network Louis to get a member file server ?
> -> You use virtualization ?
> -> You use LXC ?
> -> You use two physical servers ?
>
> How OP do in general here ? Is there some tutorial about LXC setup for
> samba around here ? I have only one physical server....
>
> @Louis :
> It's seems that we are working you and me on network design for
> school/enterprise no ? If you are interested I try to publish my work
> now :
> https://github.com/prunkdump/sclustered
>
> Maybe we can works together or exchange some part of our design. If
> you have a virtual machine emulator you can get my setup running in
> less than 30 minutes (I use puppet for configuration). If you want
> some info contact me by email.
>
> Regards,
>
> Baptiste.
>
Hi Baptiste, whilst eating my dinner, I was browsing scluster again? 
(really think that's a bad name, but it is your project ;-) ) and I 
found this in samba_conf.sh.erb:

# add gid attribute to Domain Users #
echo "\
dn: CN=Domain Users,CN=Users,<%= @base_dn %>
changetype: modify
add:objectclass
objectclass: posixGroup
-
add: gidnumber
gidnumber: 100
" > /tmp/Domain_Users.ldif

My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO

Why are you doing this ? You have just stopped the winbind 'ad' backend 
working on a Unix domain member unless you set a stupidly low 'idmap 
config DOMAIN' range start and if you do set it low so that domain users 
are shown, you will either overwrite a lot of the Unix system users and 
groups, or your domain users will not be shown.

You also should not add the posixGroup objectclass, it isn't required.

Sorry to sound so negative :-(

Rowland

Le mer. 21 ao?t 2019 ? 14:34, Rowland penny via samba <samba at
lists.samba.org>
a ?crit :
> On 21/08/2019 09:04, Prunk Dump via samba wrote:
> > Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
> > <samba at lists.samba.org> a ?crit :
> >> Hai,
> >>
> >>> In short. My network design previously work with Debian
Stretch
> >>> Servers and clients and some Windows clients (not many).
> >>>
> >>> Debian Stretch use Samba 4.5.16 so there is no
unix_primary_group
> >>> option for the clients. So I have to use the "dirty"
tweak of
> >>> modifying all my users "primaryGroupID" to the
corresponding
> >>> "gidNumber". Every things works well with my NFSv4
shares and Samba
> >>> shares. I did not notice somethings wrong neither in Linux or
Windows
> >>> client.
> >> ? Uhm, samba-tool does have the option to add uid/gids.
> >>
> >> I can recall our conversation years ago for jessi with nfsv4.
> >> These days setting up nfsv4 is easy.
> >> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
> >> *example, ssh SSO logins and automounted krb5p and protected
homedirs,
> which even root can not enter.
> >> I'll work this out in the howto's im updating/writing atm
for Debian
> Buster.
> >> This might take some time, because it will be the full setup of
how im
> running things.
> >> .. I might speed up a bit because i noticed the samba wiki is
really
> improved a lot,
> >> so i migh "borrow" some parts ;-).
> >>
> >> It might help, if you can explain exactly how you nfsv4 is setup
now.
> >>
> >>> Now my network design will be upgraded to Debian Buster. I was
happy
> >>> to see the apparition of the "unix_primary_group"
option. I think at
> >>> start that this will help me ovoiding the dirty trick.
> >>>
> >> I still dont understand what your exactly doing and what was not
> working..
> >> (sorry)
> >>
> >>> But on the Buster Samba DC this option does not exist and
more, now
> >>> Samba DC refuse to check the "primaryGroupID" value.
My dirty trick
> >>> does not works anymore. So il need to convert all my scripts
to obtain
> >>> the gidNumber.
> >>>
> >>> Here what id give on DC :
> >>> # id testteacher6
> >>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain
users)
> groups=5200001(FICHLAN\domain
>
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> >>>
> >>> Surprisingly it seems that winbind_nss put the group
corresponding to
> >>> the gidNumber just after the "Domain Users" group on
the "id" comment.
> >>> But I'm not sure this behavior is reliable. So may the
Louis tricks
> >>> can work ...
> >>>
> >> Hmm, so, i've tested a bit more, because if Rowland says
something i
> pay extra attention ;-).
> >>
> >> I create a new user with ADUC. Note, i use Win7, so i have the
Unix
> tab. ;-)
> >>
> >> - clean windows AD users.
> >> id testuser
> >> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
> groups=10000(BAZRTD\domain
> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
> >>
> >> net cache flush
> >>
> >> - Assigned a UID + Primary Group, shell.   ( testing Primary group
:
> testgroup )
> >> id testuser
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
> >> ? no primary group/GID as i did set.
> >>
> >> net cache flush
> >>
> >> - Going to Tab :  Member of group.
> >> Added group testgroup
> >> Selected it, and clicked on "Set Primary Group"
> >> id testuser
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain
> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >> ? no primary group/GID as i did set.
> >>
> >> - going back to unix tab
> >> Now here, i also selected the "primary Group", but now
same as above. (
> testgroup )
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain
> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >> and again, no primary group.
> >>
> >> So my conclusion.
> >> View point, from Linux CLI.
> >> The view point from windows GUI might differ, i did not test that.
> >>
> >>
> >> Its always :
> >> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far
i notice with
> these checks.
> >>
> >> !! DC !!
> >> On the DC, a primay group is not respected as it should.
> >> And primariy group is always "domain users"
> >>
> >>
> >> !! MEMBER !!
> >> On the members, keeping the settings as it was, and working back
to no
> uid/gid
> >>
> >> id testuser
> >> uid=10128(testuser) gid=10011(testgroup)
> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >> Correct
> >>
> >> - going back to unix tab, selected "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> users),10011(testgroup),2001(BUILTIN\users)
> >> # unix primary is set to "domain users" and the Windows
primary group
> is set to testgroup.
> >>
> >>
> >> Switching UNIX primary group and windows primary group.
> >> # unix primary is set to testgroup and the Windows primary group
is set
> to "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10011(testgroup)
> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >> Correct
> >>
> >> All set to "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> users),10011(testgroup),2001(BUILTIN\users)
> >> Correct
> >>
> >> Remove the Unix attributed
> >> id testuser
> >> id: ?testuser?: no such user
> >>
> >> I hope it can help you.
> >>
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> > Thank you very much Louis for your help !!!
> >
> > You have got exactly the same conclusion than me. On DC it's not
> > possible to make winbind return the gid I want. And on members
> > everything is coherent. (Note that the group corresponding to gid on
> > DC seems to be always the first group displayed after Domain Users).
> >
> > And these uid/gid are used by the nfsv4 server to manage files. So if
> > my nfsv4 server is on a DC :
> > -> When on the member my testuser (uid=testuser, gid=teachers)
create
> > a file on the nfsv4 share
> > -> The DC translate the user uid/gid and create a file owner by
> > "testuser:domain users"
> > -> If I check the file uid/gid from member I see
"uid=testuser,
> gid=domain user"
> >
> > So the "problem" is that, with the nfsv4 server on DC, when
my users
> > create files with uid=A/gid=B, the file is created with
> > uid=A,gid=Domain Users.
> >
> > For years I found problematic this limitation about serve files on DC.
> > How do to design your network Louis to get a member file server ?
> > -> You use virtualization ?
> > -> You use LXC ?
> > -> You use two physical servers ?
> >
> > How OP do in general here ? Is there some tutorial about LXC setup for
> > samba around here ? I have only one physical server....
> >
> > @Louis :
> > It's seems that we are working you and me on network design for
> > school/enterprise no ? If you are interested I try to publish my work
> > now :
> > https://github.com/prunkdump/sclustered
> >
> > Maybe we can works together or exchange some part of our design. If
> > you have a virtual machine emulator you can get my setup running in
> > less than 30 minutes (I use puppet for configuration). If you want
> > some info contact me by email.
> >
> > Regards,
> >
> > Baptiste.
> >
> Hi Baptiste, whilst eating my dinner, I was browsing scluster again
> (really think that's a bad name, but it is your project ;-) ) and I
> found this in samba_conf.sh.erb:
>
> # add gid attribute to Domain Users #
> echo "\
> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
> changetype: modify
> add:objectclass
> objectclass: posixGroup
> -
> add: gidnumber
> gidnumber: 100
> " > /tmp/Domain_Users.ldif
>
> My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
>
> Why are you doing this ? You have just stopped the winbind 'ad'
backend
> working on a Unix domain member unless you set a stupidly low 'idmap
> config DOMAIN' range start and if you do set it low so that domain
users
> are shown, you will either overwrite a lot of the Unix system users and
> groups, or your domain users will not be shown.
>
> You also should not add the posixGroup objectclass, it isn't required.
>
> Sorry to sound so negative :-(
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

No problem Louis !

That?s the interest of open source projects. Everyone can review the code
and search for mistakes.

The gid=100 value for domain users is just an experiment. As there is no
idmap range on DC this works on DC. And as gid=100 resolve on members this
work on members to.

But this is a bad idea you?re right. My now chosen value is 5100000 ( still
not published as s4makeshareddir does not works anymore due to the gid
problem on DC )

For the name of the project I will search if I can find better ;)

Don?t hesitate to check the puppet ? pp ? files. You will see that there
are self explanatory. Puppet is a very good project. All my network
configuration ( server, clients, printers etc ...) are stored in just one
file. All the shares configuration and users are stored in AD. So I have
just one file and one database to backup to save all my network
configuration.

Il have recently deployed this design in a high school with 4 DC and 550
clients in just two days but with a file describing all the setup prepared
before. Everything?s works with PXE and puppet ( unless the windows clients
for installing the base system, I avoid windows as much as possible  ).

It?s almost finished. I have just the solve this GID problem by adapting my
shares rights.

I will works later to move the file server to a virtual machine or a LXC.