search for: primarygroup

...ewis wrote: >> On 01/13/2015 09:23 AM, Rowland Penny wrote: >>> On 13/01/15 14:06, John Lewis wrote: >>>> On 01/13/2015 06:35 AM, Rowland Penny wrote: >>>>> On 13/01/15 11:33, John Lewis wrote: >>>>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I >>>>>> did that because I could not change the integer in primaryGroupID wit >>>>>> ldbedt as root. >>>>>> >>>>>> I mapped to to a new attribute called gidNumber which has no specific >>>>>>...

...hing went fine: installing the samba packages, getting Kerberos running, and joining the AD. But when I use id or wbinfo now to get user information I get lots of groups which cannot be mapped a GID and thus are displayed as -1 or 4294967295: id DOMAIN\\USER uid=3611(DOMAIN\\USER) gid=3000(DOMAIN\\PRIMARYGROUP) groups=3000(DOMAIN\\PRIMARYGROUP),3001(DOMAIN\\OTHERGROUP),4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,4294967295,2(daemon) wbinfo -r DOMAIN\\USER 3000 3001 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 2 On another...

On 01/13/2015 09:23 AM, Rowland Penny wrote: > On 13/01/15 14:06, John Lewis wrote: >> On 01/13/2015 06:35 AM, Rowland Penny wrote: >>> On 13/01/15 11:33, John Lewis wrote: >>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I >>>> did that because I could not change the integer in primaryGroupID wit >>>> ldbedt as root. >>>> >>>> I mapped to to a new attribute called gidNumber which has no specific >>>> meaning in samba. Is there any potential...

...etting up the system permissions to be secure. Here my basic setup. 2 groups: users and staff /home/user should have the permissions user:users rwx------ /mnt/staff should have the permissions user:staff rwxrwx--- For the last one users should'nt have access. I test with fx.: user=staffuser, primarygroup: users, member of group: staff If i setup the permissions to the above suggested i can create files but can't change them. So it seems i have the right permissions to create files but afterwards i don't. The files are created with the right permissions, username and group: staffuser:staff....

...e winbind in nsswitch.conf and pam.d/* on DC to be able to check ACLs on sysvol folder but the fact using winbind all users have "Domain users" as primary group seems to me an issue to agree with that solution... As far I understand wbinfo fill user's primary group according to "primaryGroup" value. Is there a way to configure winbind to fill user's primary group using "gidNumber" rather than "primaryGroup"? Cheers, mathias 2015-06-29 11:18 GMT+02:00 Andrew Bartlett <abartlet at samba.org>: > On Thu, 2015-06-25 at 16:27 +0200, mathias dufresn...

...ing > winbind 4.7.6 as jefftest and run id. > It still shows the old group. > So I log out as jefftest and in as root and run I think you are mixing up group membership and the users primary group, when you run 'getent group username' what is returned is the username and the users primarygroup e.g. getent passwd rowland Returns: rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash The first number is the users uidNumber, the second is the gidNumber of the users primarygroup, in this case Domain Users. All users, by default, get the gidNumber of Domain Users, if you want the use...

...uot; as >> primary group seems to me an issue to agree with that solution... >> > > This is yet another reason not to use a DC as a fileserver. The 'Domain > users' problem can be fixed, but it can cause more problems than what it > fixes, because to change the users primaryGroupID attribute means removing > the user from the 'Domain Users' group and windows expects all users to be > a member of 'Domain Users'. > > As far I understand wbinfo fill user's primary group according to >> "primaryGroup" value. >> >> Is...

...efftest and run id. >> It still shows the old group. >> So I log out as jefftest and in as root and run > > I think you are mixing up group membership and the users primary group, > when you run 'getent group username' what is returned is the username > and the users primarygroup > e.g. getent passwd rowland > > Returns: > rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash > > The first number is the users uidNumber, the second is the gidNumber of > the users primarygroup, in this case Domain Users. > > All users, by default, get the gidN...

.../01/15 15:11, John Lewis wrote: > On 01/13/2015 09:23 AM, Rowland Penny wrote: >> On 13/01/15 14:06, John Lewis wrote: >>> On 01/13/2015 06:35 AM, Rowland Penny wrote: >>>> On 13/01/15 11:33, John Lewis wrote: >>>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I >>>>> did that because I could not change the integer in primaryGroupID wit >>>>> ldbedt as root. >>>>> >>>>> I mapped to to a new attribute called gidNumber which has no specific >>>>> meaning in samba. Is...

...> On 01/13/2015 09:23 AM, Rowland Penny wrote: >>>> On 13/01/15 14:06, John Lewis wrote: >>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote: >>>>>> On 13/01/15 11:33, John Lewis wrote: >>>>>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I >>>>>>> did that because I could not change the integer in primaryGroupID wit >>>>>>> ldbedt as root. >>>>>>> >>>>>>> I mapped to to a new attribute called gidNumber which has no specific >>&...

hi there i have recently moved all users to LDAP and incorporated the Samba schema i have allocated servers read only access to the data except for what is required ie lmpass ... ntpass .. what disturbs me is that smbpasswd demands write access to uid,rid,primarygroup,cn,displayname i would rather it did not do this i fully understand why samba requires write access to other attr's in fact in my config these are read only except for servers ... im going to be hacking away at the code to change this and was hopeing someone out there would agree in the logic...

My smb.conf looks like so. [global] security = ads realm = MIND.UNM.EDU workgroup = MIND idmap config * : backend = tdb idmap config * : range = 2000-7999 idmap config MIND:backend = ad idmap config MIND:schema_mode = rfc2307 idmap config MIND:range = 8000-9999999 idmap config MIND:unix_nss_info = yes winbind use default domain = yes restrict anonymous = 2 I have

...et same objectSid (except removing deleted objects perhaps or changing "searchFlags" to really delete them when using ldbdel). This implies a deleted then recreated user can't be the same user, all file rights and ACLs set using this account must be rebuilt. Using objectSid as uid and primaryGroup as gid means this rights and ACLs issue would happen on both world (UNIX and Windows)... Anyway, there is workaround (SSSD for clients, a non-DC member server with SSSD to check ACLs, etc...), there are lot of more urgent stuffs to do, not a real issue :) 2015-06-30 14:00 GMT+02:00 Rowland Penny...

...sers have "Domain users" as > primary group seems to me an issue to agree with that solution... This is yet another reason not to use a DC as a fileserver. The 'Domain users' problem can be fixed, but it can cause more problems than what it fixes, because to change the users primaryGroupID attribute means removing the user from the 'Domain Users' group and windows expects all users to be a member of 'Domain Users'. > As far I understand wbinfo fill user's primary group according to > "primaryGroup" value. > > Is there a way to configure...

...user's security context (user policy option) Yes Remove this item when it is no longer applied No Apply once and do not reapply No Item-level targeting: Security GroupAttribute Value bool AND not 0 name SAMDOM\Domain Users sid S-1-5-21-3008661040-3046359653-1299078886-513 userContext 1 primaryGroup 0 localGroup 0 Best Regards, P.S. use "Domain Users" just for testing

...ers starting from 10000, ldbsearch gives: dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv objectSid: S-1-5-21-216404829-505555237-127066545-513 gidNumber: 10000 > If you use the 'ad' backend, then giving your users a 'uidNumber' is > not enough, you must give their primarygroup (Domain Users) a > 'gidNumber' attribute. all of the AD users are members of the Domain Users group now. Now on DC getent passwd gives just list of local users; getent passwd INTERNAL\\username gives domain user info with uid/gid 100xx:10000 still no changes on fileserver, getent...

...;> primary group seems to me an issue to agree with that solution... >>> >> This is yet another reason not to use a DC as a fileserver. The 'Domain >> users' problem can be fixed, but it can cause more problems than what it >> fixes, because to change the users primaryGroupID attribute means removing >> the user from the 'Domain Users' group and windows expects all users to be >> a member of 'Domain Users'. >> >> As far I understand wbinfo fill user's primary group according to >>> "primaryGroup" value....

...dn: CN=Domain Users,CN=Users,DC=internal,DC=domain,DC=lv >> objectSid: S-1-5-21-216404829-505555237-127066545-513 >> gidNumber: 10000 >> >>> If you use the 'ad' backend, then giving your users a 'uidNumber' >>> is not enough, you must give their primarygroup (Domain Users) a >>> 'gidNumber' attribute. > >> all of the AD users are members of the Domain Users group now. > > what do you mean 'all of the AD users are members of the Domain > Users group now.' ?? > > I hope you haven't changed the user...

...15 09:23 AM, Rowland Penny wrote: >>>>> On 13/01/15 14:06, John Lewis wrote: >>>>>> On 01/13/2015 06:35 AM, Rowland Penny wrote: >>>>>>> On 13/01/15 11:33, John Lewis wrote: >>>>>>>> This morning I remapped gidNumber from primaryGroupID to gidNumber. I >>>>>>>> did that because I could not change the integer in primaryGroupID wit >>>>>>>> ldbedt as root. >>>>>>>> >>>>>>>> I mapped to to a new attribute called gidNumber which has no sp...

Hi all, I'm wondering about winbind[d] behaviour. I tried the following with: auth methods = sam winbindd and the same with only one d: auth methods = sam winbind One user: ldbsearch -H $sam '(cn=another.fakeuser)' homeDirectory loginShell gidnumber uidnumber # record 1 dn: CN=another.fakeuser,OU=a,OU=Standards,OU=Utilisateurs,DC=ad,DC=dgfip homeDirectory: */home/another.fakeuser*