samba - Aug 2019 - winbind on DC : how use gidNumber instead of primaryGroupID as user's primary group

Le mer. 21 ao?t 2019 ? 14:34, Rowland penny via samba <samba at
lists.samba.org>
a ?crit :
> On 21/08/2019 09:04, Prunk Dump via samba wrote:
> > Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
> > <samba at lists.samba.org> a ?crit :
> >> Hai,
> >>
> >>> In short. My network design previously work with Debian
Stretch
> >>> Servers and clients and some Windows clients (not many).
> >>>
> >>> Debian Stretch use Samba 4.5.16 so there is no
unix_primary_group
> >>> option for the clients. So I have to use the "dirty"
tweak of
> >>> modifying all my users "primaryGroupID" to the
corresponding
> >>> "gidNumber". Every things works well with my NFSv4
shares and Samba
> >>> shares. I did not notice somethings wrong neither in Linux or
Windows
> >>> client.
> >> ? Uhm, samba-tool does have the option to add uid/gids.
> >>
> >> I can recall our conversation years ago for jessi with nfsv4.
> >> These days setting up nfsv4 is easy.
> >> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
> >> *example, ssh SSO logins and automounted krb5p and protected
homedirs,
> which even root can not enter.
> >> I'll work this out in the howto's im updating/writing atm
for Debian
> Buster.
> >> This might take some time, because it will be the full setup of
how im
> running things.
> >> .. I might speed up a bit because i noticed the samba wiki is
really
> improved a lot,
> >> so i migh "borrow" some parts ;-).
> >>
> >> It might help, if you can explain exactly how you nfsv4 is setup
now.
> >>
> >>> Now my network design will be upgraded to Debian Buster. I was
happy
> >>> to see the apparition of the "unix_primary_group"
option. I think at
> >>> start that this will help me ovoiding the dirty trick.
> >>>
> >> I still dont understand what your exactly doing and what was not
> working..
> >> (sorry)
> >>
> >>> But on the Buster Samba DC this option does not exist and
more, now
> >>> Samba DC refuse to check the "primaryGroupID" value.
My dirty trick
> >>> does not works anymore. So il need to convert all my scripts
to obtain
> >>> the gidNumber.
> >>>
> >>> Here what id give on DC :
> >>> # id testteacher6
> >>> uid=4000007(FICHLAN\testteacher6) gid=5200001(FICHLAN\domain
users)
> groups=5200001(FICHLAN\domain
>
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> >>>
> >>> Surprisingly it seems that winbind_nss put the group
corresponding to
> >>> the gidNumber just after the "Domain Users" group on
the "id" comment.
> >>> But I'm not sure this behavior is reliable. So may the
Louis tricks
> >>> can work ...
> >>>
> >> Hmm, so, i've tested a bit more, because if Rowland says
something i
> pay extra attention ;-).
> >>
> >> I create a new user with ADUC. Note, i use Win7, so i have the
Unix
> tab. ;-)
> >>
> >> - clean windows AD users.
> >> id testuser
> >> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
> groups=10000(BAZRTD\domain
> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
> >>
> >> net cache flush
> >>
> >> - Assigned a UID + Primary Group, shell.   ( testing Primary group
:
> testgroup )
> >> id testuser
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
> >> ? no primary group/GID as i did set.
> >>
> >> net cache flush
> >>
> >> - Going to Tab :  Member of group.
> >> Added group testgroup
> >> Selected it, and clicked on "Set Primary Group"
> >> id testuser
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain
> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >> ? no primary group/GID as i did set.
> >>
> >> - going back to unix tab
> >> Now here, i also selected the "primary Group", but now
same as above. (
> testgroup )
> >> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> groups=10000(NTDOM\domain
> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >> and again, no primary group.
> >>
> >> So my conclusion.
> >> View point, from Linux CLI.
> >> The view point from windows GUI might differ, i did not test that.
> >>
> >>
> >> Its always :
> >> UID GID PRIMIARY_GROUP_GID with the output of 'id' as far
i notice with
> these checks.
> >>
> >> !! DC !!
> >> On the DC, a primay group is not respected as it should.
> >> And primariy group is always "domain users"
> >>
> >>
> >> !! MEMBER !!
> >> On the members, keeping the settings as it was, and working back
to no
> uid/gid
> >>
> >> id testuser
> >> uid=10128(testuser) gid=10011(testgroup)
> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >> Correct
> >>
> >> - going back to unix tab, selected "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> users),10011(testgroup),2001(BUILTIN\users)
> >> # unix primary is set to "domain users" and the Windows
primary group
> is set to testgroup.
> >>
> >>
> >> Switching UNIX primary group and windows primary group.
> >> # unix primary is set to testgroup and the Windows primary group
is set
> to "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10011(testgroup)
> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >> Correct
> >>
> >> All set to "domain users"
> >> id testuser
> >> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
> users),10011(testgroup),2001(BUILTIN\users)
> >> Correct
> >>
> >> Remove the Unix attributed
> >> id testuser
> >> id: ?testuser?: no such user
> >>
> >> I hope it can help you.
> >>
> >>
> >>
> >> Greetz,
> >>
> >> Louis
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> > Thank you very much Louis for your help !!!
> >
> > You have got exactly the same conclusion than me. On DC it's not
> > possible to make winbind return the gid I want. And on members
> > everything is coherent. (Note that the group corresponding to gid on
> > DC seems to be always the first group displayed after Domain Users).
> >
> > And these uid/gid are used by the nfsv4 server to manage files. So if
> > my nfsv4 server is on a DC :
> > -> When on the member my testuser (uid=testuser, gid=teachers)
create
> > a file on the nfsv4 share
> > -> The DC translate the user uid/gid and create a file owner by
> > "testuser:domain users"
> > -> If I check the file uid/gid from member I see
"uid=testuser,
> gid=domain user"
> >
> > So the "problem" is that, with the nfsv4 server on DC, when
my users
> > create files with uid=A/gid=B, the file is created with
> > uid=A,gid=Domain Users.
> >
> > For years I found problematic this limitation about serve files on DC.
> > How do to design your network Louis to get a member file server ?
> > -> You use virtualization ?
> > -> You use LXC ?
> > -> You use two physical servers ?
> >
> > How OP do in general here ? Is there some tutorial about LXC setup for
> > samba around here ? I have only one physical server....
> >
> > @Louis :
> > It's seems that we are working you and me on network design for
> > school/enterprise no ? If you are interested I try to publish my work
> > now :
> > https://github.com/prunkdump/sclustered
> >
> > Maybe we can works together or exchange some part of our design. If
> > you have a virtual machine emulator you can get my setup running in
> > less than 30 minutes (I use puppet for configuration). If you want
> > some info contact me by email.
> >
> > Regards,
> >
> > Baptiste.
> >
> Hi Baptiste, whilst eating my dinner, I was browsing scluster again
> (really think that's a bad name, but it is your project ;-) ) and I
> found this in samba_conf.sh.erb:
>
> # add gid attribute to Domain Users #
> echo "\
> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
> changetype: modify
> add:objectclass
> objectclass: posixGroup
> -
> add: gidnumber
> gidnumber: 100
> " > /tmp/Domain_Users.ldif
>
> My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
>
> Why are you doing this ? You have just stopped the winbind 'ad'
backend
> working on a Unix domain member unless you set a stupidly low 'idmap
> config DOMAIN' range start and if you do set it low so that domain
users
> are shown, you will either overwrite a lot of the Unix system users and
> groups, or your domain users will not be shown.
>
> You also should not add the posixGroup objectclass, it isn't required.
>
> Sorry to sound so negative :-(
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

No problem Louis !

That?s the interest of open source projects. Everyone can review the code
and search for mistakes.

The gid=100 value for domain users is just an experiment. As there is no
idmap range on DC this works on DC. And as gid=100 resolve on members this
work on members to.

But this is a bad idea you?re right. My now chosen value is 5100000 ( still
not published as s4makeshareddir does not works anymore due to the gid
problem on DC )

For the name of the project I will search if I can find better ;)

Don?t hesitate to check the puppet ? pp ? files. You will see that there
are self explanatory. Puppet is a very good project. All my network
configuration ( server, clients, printers etc ...) are stored in just one
file. All the shares configuration and users are stored in AD. So I have
just one file and one database to backup to save all my network
configuration.

Il have recently deployed this design in a high school with 4 DC and 550
clients in just two days but with a file describing all the setup prepared
before. Everything?s works with PXE and puppet ( unless the windows clients
for installing the base system, I avoid windows as much as possible  ).

It?s almost finished. I have just the solve this GID problem by adapting my
shares rights.

I will works later to move the file server to a virtual machine or a LXC.

On 21/08/2019 15:14, Prunk Dump via samba wrote:
> Le mer. 21 ao?t 2019 ? 14:34, Rowland penny via samba <samba at
lists.samba.org>
> a ?crit :
>
>> On 21/08/2019 09:04, Prunk Dump via samba wrote:
>>> Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
>>> <samba at lists.samba.org> a ?crit :
>>>> Hai,
>>>>
>>>>> In short. My network design previously work with Debian
Stretch
>>>>> Servers and clients and some Windows clients (not many).
>>>>>
>>>>> Debian Stretch use Samba 4.5.16 so there is no
unix_primary_group
>>>>> option for the clients. So I have to use the
"dirty" tweak of
>>>>> modifying all my users "primaryGroupID" to the
corresponding
>>>>> "gidNumber". Every things works well with my
NFSv4 shares and Samba
>>>>> shares. I did not notice somethings wrong neither in Linux
or Windows
>>>>> client.
>>>> ? Uhm, samba-tool does have the option to add uid/gids.
>>>>
>>>> I can recall our conversation years ago for jessi with nfsv4.
>>>> These days setting up nfsv4 is easy.
>>>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
>>>> *example, ssh SSO logins and automounted krb5p and protected
homedirs,
>> which even root can not enter.
>>>> I'll work this out in the howto's im updating/writing
atm for Debian
>> Buster.
>>>> This might take some time, because it will be the full setup of
how im
>> running things.
>>>> .. I might speed up a bit because i noticed the samba wiki is
really
>> improved a lot,
>>>> so i migh "borrow" some parts ;-).
>>>>
>>>> It might help, if you can explain exactly how you nfsv4 is
setup now.
>>>>
>>>>> Now my network design will be upgraded to Debian Buster. I
was happy
>>>>> to see the apparition of the "unix_primary_group"
option. I think at
>>>>> start that this will help me ovoiding the dirty trick.
>>>>>
>>>> I still dont understand what your exactly doing and what was
not
>> working..
>>>> (sorry)
>>>>
>>>>> But on the Buster Samba DC this option does not exist and
more, now
>>>>> Samba DC refuse to check the "primaryGroupID"
value. My dirty trick
>>>>> does not works anymore. So il need to convert all my
scripts to obtain
>>>>> the gidNumber.
>>>>>
>>>>> Here what id give on DC :
>>>>> # id testteacher6
>>>>> uid=4000007(FICHLAN\testteacher6)
gid=5200001(FICHLAN\domain users)
>> groups=5200001(FICHLAN\domain
>>
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
>>>>> Surprisingly it seems that winbind_nss put the group
corresponding to
>>>>> the gidNumber just after the "Domain Users" group
on the "id" comment.
>>>>> But I'm not sure this behavior is reliable. So may the
Louis tricks
>>>>> can work ...
>>>>>
>>>> Hmm, so, i've tested a bit more, because if Rowland says
something i
>> pay extra attention ;-).
>>>> I create a new user with ADUC. Note, i use Win7, so i have the
Unix
>> tab. ;-)
>>>> - clean windows AD users.
>>>> id testuser
>>>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain users)
>> groups=10000(BAZRTD\domain
>> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
>>>> net cache flush
>>>>
>>>> - Assigned a UID + Primary Group, shell.   ( testing Primary
group :
>> testgroup )
>>>> id testuser
>>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
>> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
>>>> ? no primary group/GID as i did set.
>>>>
>>>> net cache flush
>>>>
>>>> - Going to Tab :  Member of group.
>>>> Added group testgroup
>>>> Selected it, and clicked on "Set Primary Group"
>>>> id testuser
>>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
>> groups=10000(NTDOM\domain
>> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>>>> ? no primary group/GID as i did set.
>>>>
>>>> - going back to unix tab
>>>> Now here, i also selected the "primary Group", but
now same as above. (
>> testgroup )
>>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
>> groups=10000(NTDOM\domain
>> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
>>>> and again, no primary group.
>>>>
>>>> So my conclusion.
>>>> View point, from Linux CLI.
>>>> The view point from windows GUI might differ, i did not test
that.
>>>>
>>>>
>>>> Its always :
>>>> UID GID PRIMIARY_GROUP_GID with the output of 'id' as
far i notice with
>> these checks.
>>>> !! DC !!
>>>> On the DC, a primay group is not respected as it should.
>>>> And primariy group is always "domain users"
>>>>
>>>>
>>>> !! MEMBER !!
>>>> On the members, keeping the settings as it was, and working
back to no
>> uid/gid
>>>> id testuser
>>>> uid=10128(testuser) gid=10011(testgroup)
>> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>>>> Correct
>>>>
>>>> - going back to unix tab, selected "domain users"
>>>> id testuser
>>>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
>> users),10011(testgroup),2001(BUILTIN\users)
>>>> # unix primary is set to "domain users" and the
Windows primary group
>> is set to testgroup.
>>>>
>>>> Switching UNIX primary group and windows primary group.
>>>> # unix primary is set to testgroup and the Windows primary
group is set
>> to "domain users"
>>>> id testuser
>>>> uid=10128(testuser) gid=10011(testgroup)
>> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
>>>> Correct
>>>>
>>>> All set to "domain users"
>>>> id testuser
>>>> uid=10128(testuser) gid=10000(domain users) groups=10000(domain
>> users),10011(testgroup),2001(BUILTIN\users)
>>>> Correct
>>>>
>>>> Remove the Unix attributed
>>>> id testuser
>>>> id: ?testuser?: no such user
>>>>
>>>> I hope it can help you.
>>>>
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> Thank you very much Louis for your help !!!
>>>
>>> You have got exactly the same conclusion than me. On DC it's
not
>>> possible to make winbind return the gid I want. And on members
>>> everything is coherent. (Note that the group corresponding to gid
on
>>> DC seems to be always the first group displayed after Domain
Users).
>>>
>>> And these uid/gid are used by the nfsv4 server to manage files. So
if
>>> my nfsv4 server is on a DC :
>>> -> When on the member my testuser (uid=testuser, gid=teachers)
create
>>> a file on the nfsv4 share
>>> -> The DC translate the user uid/gid and create a file owner by
>>> "testuser:domain users"
>>> -> If I check the file uid/gid from member I see
"uid=testuser,
>> gid=domain user"
>>> So the "problem" is that, with the nfsv4 server on DC,
when my users
>>> create files with uid=A/gid=B, the file is created with
>>> uid=A,gid=Domain Users.
>>>
>>> For years I found problematic this limitation about serve files on
DC.
>>> How do to design your network Louis to get a member file server ?
>>> -> You use virtualization ?
>>> -> You use LXC ?
>>> -> You use two physical servers ?
>>>
>>> How OP do in general here ? Is there some tutorial about LXC setup
for
>>> samba around here ? I have only one physical server....
>>>
>>> @Louis :
>>> It's seems that we are working you and me on network design for
>>> school/enterprise no ? If you are interested I try to publish my
work
>>> now :
>>> https://github.com/prunkdump/sclustered
>>>
>>> Maybe we can works together or exchange some part of our design. If
>>> you have a virtual machine emulator you can get my setup running in
>>> less than 30 minutes (I use puppet for configuration). If you want
>>> some info contact me by email.
>>>
>>> Regards,
>>>
>>> Baptiste.
>>>
>> Hi Baptiste, whilst eating my dinner, I was browsing scluster again
>> (really think that's a bad name, but it is your project ;-) ) and I
>> found this in samba_conf.sh.erb:
>>
>> # add gid attribute to Domain Users #
>> echo "\
>> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
>> changetype: modify
>> add:objectclass
>> objectclass: posixGroup
>> -
>> add: gidnumber
>> gidnumber: 100
>> " > /tmp/Domain_Users.ldif
>>
>> My first thoughts were: NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
>>
>> Why are you doing this ? You have just stopped the winbind 'ad'
backend
>> working on a Unix domain member unless you set a stupidly low
'idmap
>> config DOMAIN' range start and if you do set it low so that domain
users
>> are shown, you will either overwrite a lot of the Unix system users and
>> groups, or your domain users will not be shown.
>>
>> You also should not add the posixGroup objectclass, it isn't
required.
>>
>> Sorry to sound so negative :-(
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
> No problem Louis !
>
> That?s the interest of open source projects. Everyone can review the code
> and search for mistakes.
>
> The gid=100 value for domain users is just an experiment. As there is no
> idmap range on DC this works on DC. And as gid=100 resolve on members this
> work on members to.
>
> But this is a bad idea you?re right. My now chosen value is 5100000 ( still
> not published as s4makeshareddir does not works anymore due to the gid
> problem on DC )
>
> For the name of the project I will search if I can find better ;)
>
> Don?t hesitate to check the puppet ? pp ? files. You will see that there
> are self explanatory. Puppet is a very good project. All my network
> configuration ( server, clients, printers etc ...) are stored in just one
> file. All the shares configuration and users are stored in AD. So I have
> just one file and one database to backup to save all my network
> configuration.
>
> Il have recently deployed this design in a high school with 4 DC and 550
> clients in just two days but with a file describing all the setup prepared
> before. Everything?s works with PXE and puppet ( unless the windows clients
> for installing the base system, I avoid windows as much as possible  ).
>
> It?s almost finished. I have just the solve this GID problem by adapting my
> shares rights.
OK, I will say this slowly and very loud:

USE??? NSLCD??? ON????? THE????? DC!

root at dc4:~# getent passwd rowland
SAMDOM\rowland:*:10000:10000::/home/SAMDOM/users/rowland:/bin/bash

root at dc8:~# getent passwd rowland
rowland:*:10000:10010:Rowland Penny:/home/rowland:/bin/bash

The first is using the primaryGroupID, the second the users gidNumber.

Rowland

Le mer. 21 ao?t 2019 ? 17:04, Rowland penny via samba
<samba at lists.samba.org> a ?crit :
>
> On 21/08/2019 15:14, Prunk Dump via samba wrote:
> > Le mer. 21 ao?t 2019 ? 14:34, Rowland penny via samba <samba at
lists.samba.org>
> > a ?crit :
> >
> >> On 21/08/2019 09:04, Prunk Dump via samba wrote:
> >>> Le mar. 20 ao?t 2019 ? 14:30, L.P.H. van Belle via samba
> >>> <samba at lists.samba.org> a ?crit :
> >>>> Hai,
> >>>>
> >>>>> In short. My network design previously work with
Debian Stretch
> >>>>> Servers and clients and some Windows clients (not
many).
> >>>>>
> >>>>> Debian Stretch use Samba 4.5.16 so there is no
unix_primary_group
> >>>>> option for the clients. So I have to use the
"dirty" tweak of
> >>>>> modifying all my users "primaryGroupID" to
the corresponding
> >>>>> "gidNumber". Every things works well with my
NFSv4 shares and Samba
> >>>>> shares. I did not notice somethings wrong neither in
Linux or Windows
> >>>>> client.
> >>>> ? Uhm, samba-tool does have the option to add uid/gids.
> >>>>
> >>>> I can recall our conversation years ago for jessi with
nfsv4.
> >>>> These days setting up nfsv4 is easy.
> >>>> I these days have NFSv4 with sys,krb5,krb5i,krb5p working
> >>>> *example, ssh SSO logins and automounted krb5p and
protected homedirs,
> >> which even root can not enter.
> >>>> I'll work this out in the howto's im
updating/writing atm for Debian
> >> Buster.
> >>>> This might take some time, because it will be the full
setup of how im
> >> running things.
> >>>> .. I might speed up a bit because i noticed the samba wiki
is really
> >> improved a lot,
> >>>> so i migh "borrow" some parts ;-).
> >>>>
> >>>> It might help, if you can explain exactly how you nfsv4 is
setup now.
> >>>>
> >>>>> Now my network design will be upgraded to Debian
Buster. I was happy
> >>>>> to see the apparition of the
"unix_primary_group" option. I think at
> >>>>> start that this will help me ovoiding the dirty trick.
> >>>>>
> >>>> I still dont understand what your exactly doing and what
was not
> >> working..
> >>>> (sorry)
> >>>>
> >>>>> But on the Buster Samba DC this option does not exist
and more, now
> >>>>> Samba DC refuse to check the
"primaryGroupID" value. My dirty trick
> >>>>> does not works anymore. So il need to convert all my
scripts to obtain
> >>>>> the gidNumber.
> >>>>>
> >>>>> Here what id give on DC :
> >>>>> # id testteacher6
> >>>>> uid=4000007(FICHLAN\testteacher6)
gid=5200001(FICHLAN\domain users)
> >> groups=5200001(FICHLAN\domain
> >>
users),5000002(FICHLAN\teachers),5000000(FICHLAN\s4users),3000009(BUILTIN\users)
> >>>>> Surprisingly it seems that winbind_nss put the group
corresponding to
> >>>>> the gidNumber just after the "Domain Users"
group on the "id" comment.
> >>>>> But I'm not sure this behavior is reliable. So may
the Louis tricks
> >>>>> can work ...
> >>>>>
> >>>> Hmm, so, i've tested a bit more, because if Rowland
says something i
> >> pay extra attention ;-).
> >>>> I create a new user with ADUC. Note, i use Win7, so i have
the Unix
> >> tab. ;-)
> >>>> - clean windows AD users.
> >>>> id testuser
> >>>> uid=3000338(BAZRTD\testuser) gid=10000(BAZRTD\domain
users)
> >> groups=10000(BAZRTD\domain
> >> users),3000338(BAZRTD\testuser),3000009(BUILTIN\users)
> >>>> net cache flush
> >>>>
> >>>> - Assigned a UID + Primary Group, shell.   ( testing
Primary group :
> >> testgroup )
> >>>> id testuser
> >>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> >> groups=10000(NTDOM\domain users),3000009(BUILTIN\users)
> >>>> ? no primary group/GID as i did set.
> >>>>
> >>>> net cache flush
> >>>>
> >>>> - Going to Tab :  Member of group.
> >>>> Added group testgroup
> >>>> Selected it, and clicked on "Set Primary Group"
> >>>> id testuser
> >>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> >> groups=10000(NTDOM\domain
> >> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >>>> ? no primary group/GID as i did set.
> >>>>
> >>>> - going back to unix tab
> >>>> Now here, i also selected the "primary Group",
but now same as above. (
> >> testgroup )
> >>>> uid=10128(NTDOM\testuser) gid=10000(NTDOM\domain users)
> >> groups=10000(NTDOM\domain
> >> users),10011(NTDOM\testgroup),3000009(BUILTIN\users)
> >>>> and again, no primary group.
> >>>>
> >>>> So my conclusion.
> >>>> View point, from Linux CLI.
> >>>> The view point from windows GUI might differ, i did not
test that.
> >>>>
> >>>>
> >>>> Its always :
> >>>> UID GID PRIMIARY_GROUP_GID with the output of 'id'
as far i notice with
> >> these checks.
> >>>> !! DC !!
> >>>> On the DC, a primay group is not respected as it should.
> >>>> And primariy group is always "domain users"
> >>>>
> >>>>
> >>>> !! MEMBER !!
> >>>> On the members, keeping the settings as it was, and
working back to no
> >> uid/gid
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10011(testgroup)
> >> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >>>> Correct
> >>>>
> >>>> - going back to unix tab, selected "domain
users"
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10000(domain users)
groups=10000(domain
> >> users),10011(testgroup),2001(BUILTIN\users)
> >>>> # unix primary is set to "domain users" and the
Windows primary group
> >> is set to testgroup.
> >>>>
> >>>> Switching UNIX primary group and windows primary group.
> >>>> # unix primary is set to testgroup and the Windows primary
group is set
> >> to "domain users"
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10011(testgroup)
> >> groups=10011(testgroup),10000(domain users),2001(BUILTIN\users)
> >>>> Correct
> >>>>
> >>>> All set to "domain users"
> >>>> id testuser
> >>>> uid=10128(testuser) gid=10000(domain users)
groups=10000(domain
> >> users),10011(testgroup),2001(BUILTIN\users)
> >>>> Correct
> >>>>
> >>>> Remove the Unix attributed
> >>>> id testuser
> >>>> id: ?testuser?: no such user
> >>>>
> >>>> I hope it can help you.
> >>>>
> >>>>
> >>>>
> >>>> Greetz,
> >>>>
> >>>> Louis
> >>>>
> >>>>
> >>>> --
> >>>> To unsubscribe from this list go to the following URL and
read the
> >>>> instructions: 
https://lists.samba.org/mailman/options/samba
> >>> Thank you very much Louis for your help !!!
> >>>
> >>> You have got exactly the same conclusion than me. On DC
it's not
> >>> possible to make winbind return the gid I want. And on members
> >>> everything is coherent. (Note that the group corresponding to
gid on
> >>> DC seems to be always the first group displayed after Domain
Users).
> >>>
> >>> And these uid/gid are used by the nfsv4 server to manage
files. So if
> >>> my nfsv4 server is on a DC :
> >>> -> When on the member my testuser (uid=testuser,
gid=teachers) create
> >>> a file on the nfsv4 share
> >>> -> The DC translate the user uid/gid and create a file
owner by
> >>> "testuser:domain users"
> >>> -> If I check the file uid/gid from member I see
"uid=testuser,
> >> gid=domain user"
> >>> So the "problem" is that, with the nfsv4 server on
DC, when my users
> >>> create files with uid=A/gid=B, the file is created with
> >>> uid=A,gid=Domain Users.
> >>>
> >>> For years I found problematic this limitation about serve
files on DC.
> >>> How do to design your network Louis to get a member file
server ?
> >>> -> You use virtualization ?
> >>> -> You use LXC ?
> >>> -> You use two physical servers ?
> >>>
> >>> How OP do in general here ? Is there some tutorial about LXC
setup for
> >>> samba around here ? I have only one physical server....
> >>>
> >>> @Louis :
> >>> It's seems that we are working you and me on network
design for
> >>> school/enterprise no ? If you are interested I try to publish
my work
> >>> now :
> >>> https://github.com/prunkdump/sclustered
> >>>
> >>> Maybe we can works together or exchange some part of our
design. If
> >>> you have a virtual machine emulator you can get my setup
running in
> >>> less than 30 minutes (I use puppet for configuration). If you
want
> >>> some info contact me by email.
> >>>
> >>> Regards,
> >>>
> >>> Baptiste.
> >>>
> >> Hi Baptiste, whilst eating my dinner, I was browsing scluster
again
> >> (really think that's a bad name, but it is your project ;-) )
and I
> >> found this in samba_conf.sh.erb:
> >>
> >> # add gid attribute to Domain Users #
> >> echo "\
> >> dn: CN=Domain Users,CN=Users,<%= @base_dn %>
> >> changetype: modify
> >> add:objectclass
> >> objectclass: posixGroup
> >> -
> >> add: gidnumber
> >> gidnumber: 100
> >> " > /tmp/Domain_Users.ldif
> >>
> >> My first thoughts were:
NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO
> >>
> >> Why are you doing this ? You have just stopped the winbind
'ad' backend
> >> working on a Unix domain member unless you set a stupidly low
'idmap
> >> config DOMAIN' range start and if you do set it low so that
domain users
> >> are shown, you will either overwrite a lot of the Unix system
users and
> >> groups, or your domain users will not be shown.
> >>
> >> You also should not add the posixGroup objectclass, it isn't
required.
> >>
> >> Sorry to sound so negative :-(
> >>
> >> Rowland
> >>
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> > No problem Louis !
> >
> > That?s the interest of open source projects. Everyone can review the
code
> > and search for mistakes.
> >
> > The gid=100 value for domain users is just an experiment. As there is
no
> > idmap range on DC this works on DC. And as gid=100 resolve on members
this
> > work on members to.
> >
> > But this is a bad idea you?re right. My now chosen value is 5100000 (
still
> > not published as s4makeshareddir does not works anymore due to the gid
> > problem on DC )
> >
> > For the name of the project I will search if I can find better ;)
> >
> > Don?t hesitate to check the puppet ? pp ? files. You will see that
there
> > are self explanatory. Puppet is a very good project. All my network
> > configuration ( server, clients, printers etc ...) are stored in just
one
> > file. All the shares configuration and users are stored in AD. So I
have
> > just one file and one database to backup to save all my network
> > configuration.
> >
> > Il have recently deployed this design in a high school with 4 DC and
550
> > clients in just two days but with a file describing all the setup
prepared
> > before. Everything?s works with PXE and puppet ( unless the windows
clients
> > for installing the base system, I avoid windows as much as possible 
).
> >
> > It?s almost finished. I have just the solve this GID problem by
adapting my
> > shares rights.
>
> OK, I will say this slowly and very loud:
>
> USE    NSLCD    ON      THE      DC!
>
> root at dc4:~# getent passwd rowland
> SAMDOM\rowland:*:10000:10000::/home/SAMDOM/users/rowland:/bin/bash
>
> root at dc8:~# getent passwd rowland
> rowland:*:10000:10010:Rowland Penny:/home/rowland:/bin/bash
>
> The first is using the primaryGroupID, the second the users gidNumber.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
Thank you very much Rowland !

I will give Nslcd a try. But this will make me using a totally new
service. I need to make all the tests needed before deploying it. For
example it will not resolve my computer accounts where I don't assign
uid/gid number. I let samba do it for me with local ID. May be
problematic ( or not ).

Thanks !

Baptiste.