Re: [Samba] 10 minutes between primary group change and effect on Fedora 27
- Date: Tue, 27 Mar 2018 09:36:49 -0600
- From: Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] 10 minutes between primary group change and effect on Fedora 27
On Tue, Mar 27, 2018 at 9:15 AM, Rowland Penny <rpenny@xxxxxxxxx> wrote:
> On Tue, 27 Mar 2018 08:46:00 -0600
> Jeff Sadowski via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> My smb.conf looks like so.
>> security = ads
>> realm = MIND.UNM.EDU
>> workgroup = MIND
>> idmap config * : backend = tdb
>> idmap config * : range = 2000-7999
>> idmap config MIND:backend = ad
>> idmap config MIND:schema_mode = rfc2307
>> idmap config MIND:range = 8000-9999999
>> idmap config MIND:unix_nss_info = yes
>> winbind use default domain = yes
>> restrict anonymous = 2
>> I have a user jefftest.
>> I found that to set the primary group that user needs to be in that
>> If I set the group of jefftest to a new group (both in the UNIX
>> attributes tab and in the Member Of tab) using Active Directory Users
>> and Computers.
>> Then I test the user using ldapsearch against each domain controller
>> and they all have the new values according to ldapsearch in gidNumber.
>> Then I login with jefftest on my joined fedora 27 machine using
>> winbind 4.7.6 as jefftest and run id.
>> It still shows the old group.
>> So I log out as jefftest and in as root and run
> I think you are mixing up group membership and the users primary group,
> when you run 'getent group username' what is returned is the username
> and the users primarygroup
> e.g. getent passwd rowland
> rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash
> The first number is the users uidNumber, the second is the gidNumber of
> the users primarygroup, in this case Domain Users.
> All users, by default, get the gidNumber of Domain Users, if you want
> the user to have a different primarygroup, you need to give the user a
> gidNumber attribute containing the gidNumber of the required group AND
> add this line to smb.conf:
> idmap config MIND:unix_primary_group = yes
OK I added this line
Is that not the default behavior? It seemed to work after ten minutes
like I wanted. I just wanted to speed up by flushing the cache or
> This will only work from Samba 4.6.0
Did you mean 4.6.0 and greater?
> Just in case you are trying to have user private groups with the same
> name as the user, well, you cannot, it isn't allowed.
I'm switching between jeff_write_group and jeffs_general_group so this
isn't the issue. AD wouldn't let me do that anyways.
I added the debug line as L.P.H. van Belle had suggested too.
> getent passwd jefftest
when I just switched the gidNumber to
and verified using ldapsearch against all my dc's and I tried a "net
the log files may have info in them but I'm not sure what to look for
or how to post them. I think attachments are removed by the list.
And after 10 minutes getent now shows the same.
Seems that adding the
idmap config MIND:unix_primary_group = yes
nothing has noticeably changed.
To unsubscribe from this list go to the following URL and read the