Web lists-archives.com

Re: [Samba] idmap backend ad well-known-sids 512 & 513




On Wed, 13 Feb 2019 17:26:05 +0100
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> In addition to Rowland's. 
> 
> And be aware that there is a bug in 
> 
> unix_primary_group = 
> You only see 10000 or Domain Users. 
> If you change the primary groep to something else, it stays
> 10000/Domain users. 
> 
> See: 
> default group always set to "Domain Users" not evaluating
> PrimaryGroupID ldap attribute
> https://bugzilla.samba.org/show_bug.cgi?id=13371 
> 
> 
> And 
> You know that you have to set the UID/GID's yourself? 
> https://wiki.samba.org/index.php/User_and_group_management
> 
> https://wiki.samba.org/index.php/Maintaining_Unix_Attributes_in_AD_using_ADUC 
> 
> 
> Greetz, 
> 
> Louis
> 
> 

This isn't in my opinion a bug ;-)

Lets start with a Unix domain member that as 'unix_primary_group = yes'
set:

rowland@devstation:~/mate$ getent passwd usertest
usertest:*:10007:10001:User Test:/dev/null:/bin/bash

Here we can see that user 'usertest' has the group ID '10001', this is
the ID for a Unix group stored in AD.

Now we will go to a DC:

root@dc4:~# getent passwd usertest
SAMDOM\usertest:*:10007:10000::/home/usertest:/bin/bash

The group ID is now '10000' and this is the gidNumber for 'Domain Users'

Finally, a Unix domain member using the 'rid' backend

adminuser@Computer4:~$ getent passwd usertest
usertest:*:11112:10513::/home/usertest:/bin/bash

The group id is now '10513', this is the RID for 'Domain Users' plus
the low range set in smb.conf, this is '10000'

So, one user, three group ID's

So, why do I not think it is a bug ?

If somebody logs into 'devstation' and has a gidNumber, they will get
the Unix primary group.

If somebody connects to a share, they are either connecting from a
Windows machine or a Samba machine that is 'simulating' a Windows
machine. In this case, Windows expects the users Primary group to be
Domain Users.

In my opinion, you either never use the same username from a Windows
machine and Unix machines, or you always use 'Domain Users' as the
users primary group.

Rowland
 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba