hello,
is there a way to map usergroups via winbind?
I need 'getent passwd':
testuser:x:7072:513::/home/users/testuser:/bin/bash
but I get:
testuser:x:7072:30000::/home/users/testuser:/bin/bash
gidNumber is set to 513 in samba-ldap.
cat /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
cat /etc/samba/smb.conf
[global]
security = ADS
workgroup = SAMDOM
realm = SAMDOM.EXAMPLE.COM
log file = /var/log/samba/%m.log
log level = 1
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
winbind use default domain = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use an read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 1000-2000
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 2001-999999
idmap config SAMDOM:unix_nss_info = yes
template homedir = /home/users/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
encrypt passwords = yes
winbind use default domain = yes
restrict anonymous = 2
# fix dfs error's in log ?
host msdfs = no
On 23/07/2020 14:07, basti via samba wrote:> hello, > is there a way to map usergroups via winbind? > > I need 'getent passwd': > testuser:x:7072:513::/home/users/testuser:/bin/bash > > but I get: > testuser:x:7072:30000::/home/users/testuser:/bin/bash > > gidNumber is set to 513 in samba-ldap. > > cat /etc/samba/smb.conf > [global] > # Default ID mapping configuration for local BUILTIN accounts > # and groups on a domain member. The default (*) domain: > # - must not overlap with any domain ID mapping configuration! > # - must use an read-write-enabled back end, such as tdb. > idmap config * : backend = tdb > idmap config * : range = 1000-2000 > > # idmap config for the SAMDOM domain > idmap config SAMDOM:backend = ad > idmap config SAMDOM:schema_mode = rfc2307 > idmap config SAMDOM:range = 2001-999999 > idmap config SAMDOM:unix_nss_info = yesYou are never going to get '513' to show as the users primary group ID, because it is less than the lower DOMAIN range you have set in smb.conf. Any uidNumber or gidNumber attributes containing a number less than '2001' will be ignored, I am still trying to understand where the '30000' came from ? Rowland
On 23.07.20 15:23, Rowland penny via samba wrote:> On 23/07/2020 14:07, basti via samba wrote: >> hello, >> is there a way to map usergroups via winbind? >> >> I need 'getent passwd': >> testuser:x:7072:513::/home/users/testuser:/bin/bash >> >> but I get: >> testuser:x:7072:30000::/home/users/testuser:/bin/bash >> >> gidNumber is set to 513 in samba-ldap. >> >> cat /etc/samba/smb.conf >> [global] >> ??????? # Default ID mapping configuration for local BUILTIN accounts >> ??????? # and groups on a domain member. The default (*) domain: >> ??????? # - must not overlap with any domain ID mapping configuration! >> ??????? # - must use an read-write-enabled back end, such as tdb. >> ??????? idmap config * : backend = tdb >> ??????? idmap config * : range = 1000-2000 >> >> ??????? # idmap config for the SAMDOM domain >> ??????? idmap config SAMDOM:backend = ad >> ??????? idmap config SAMDOM:schema_mode = rfc2307 >> ??????? idmap config SAMDOM:range = 2001-999999 >> ??????? idmap config SAMDOM:unix_nss_info = yes > > You are never going to get '513' to show as the users primary group ID, > because it is less than the lower DOMAIN range you have set in smb.conf. > Any uidNumber or gidNumber attributes containing a number less than > '2001' will be ignored, I am still trying to understand where the > '30000' came from ? > > Rowlandah ok i understand. dn: CN=Users,CN=Builtin,DC=samdom,DC=example,DC=com gidNumber: 30000 in my samba ldap. whats your gidNumber of that dn?