On Sun, Oct 24, 2010 at 2:46 PM, Andrew Lyon <andrew.l...@gmail.com> wrote: >> -----Original Message----- >> From: Andrew Lyon [mailto:andrew.l...@gmail.com] >> Sent: Freitag, 22. Oktober 2010 11:50 >> To: Oliver Weinmann >> Cc: samba@lists.samba.org >> Subject: Re: [Samba] Samba-winbind 3.5.4 primary group is always >> domainusers!!!??? >> >> On Wed, Oct 20, 2010 at 12:36 PM, Oliver Weinmann <oliver.weinm...@vega.de> >> wrote: >>> Hi, >>> >>> Any news regarding this problem? I have testet samba 3.5.6 and the >>> problem still persists. I had to downgrade to 3.3 on a few machines now. >>> >>> Regards, >>> Oliver >>> >>> -----Original Message----- >>> From: samba-boun...@lists.samba.org >>> [mailto:samba-boun...@lists.samba.org] On Behalf Of Oliver Weinmann >>> Sent: Donnerstag, 9. September 2010 13:13 >>> To: samba@lists.samba.org >>> Subject: [Samba] Samba-winbind 3.5.4 primary group is always >>> domainusers!!!??? >>> >>> Dear All, >>> >>> I stepped over a strange issue today. I have one installation of samba >>> winbind 3.3.2 on a Ubuntu machine. Changing the primary unix group of >>> a user is updated immediately. On a newer samba 3.5.4 installation the >>> primary group is not updated at all. It always displays "domain users". >>> Is there a new setting for the smb.conf? Here is my smb.conf: >>> >>> [global] >>> netbios name = gedail1 >>> realm = SOMEDOMAIN.NET >>> workgroup = SOMEDOMAIN >>> security = ADS >>> encrypt passwords = true >>> password server = server1.somedomain.net server2.somedomain.net >>> os level = 20 >>> idmap backend = ad >>> idmap config SOMEDOMAIN : backend = ad >>> idmap config SOMEDOMAIN : schema_mode = sfu >>> idmap config SOMEDOMAIN : range = 0-99999999 >>> winbind nss info = sfu >>> winbind enum users = yes >>> winbind enum groups = yes >>> preferred master = no >>> winbind nested groups = Yes >>> winbind use default domain = Yes >>> max log size = 50 >>> log level = 10 >>> log file = /var/log/samba/log.%m >>> dns proxy = no >>> wins server = 172.20.200.18 172.18.200.20 >>> allow trusted domains = no >>> client use spnego = Yes >>> use kerberos keytab = true >>> winbind refresh tickets = yes >>> idmap cache time = 1 >>> winbind cache time = 1 >>> >>> It's a W2k3 AD Domain. >>> >>> Regards, >>> Oliver >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >>> ______________________________________________________________________ >>> This email has been scanned by the MessageLabs Email Security System. >>> For more information please visit http://www.messagelabs.com/email >>> ______________________________________________________________________ >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> I've noticed the same with samba 3.5.6, our administrator user has primary >> group name/gid Domain Admins but the primary group on our linux systems is >> domain users. >> >> I've noticed that searching AD for users with rfc2307/sfu attributes shows >> the correct gid: >> >> net ads search '(|(uidNumber=*)(gidNumber=*))' objectCategory sAMAccountName >> uidNumber gidNumber -P >> >> sAMAccountName: Domain Users >> objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=josims,DC=local >> gidNumber: 10000 >> >> sAMAccountName: test >> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=josims,DC=local >> uidNumber: 10009 >> gidNumber: 10010 >> >> The gid returned is correct, and if I change it and remove the cache file it >> updates, so it is definitely being read from AD, but all users have gid >> domain users: >> >> wbinfo -i test >> test:*:10009:10000:test:/home/test:/bin/bash >> >> Andy >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ >> > On Fri, Oct 22, 2010 at 10:55 AM, Oliver Weinmann > <oliver.weinm...@vega.de> wrote: >>> Good to know that I'm not the only one facing this serious problem. I would >>> really like to know why this is not the case under >>samba 3.3. Currently I >>> have stopped upgrading from 3.3 to 3.5.x because this problem is generating >>> a lot of trouble for us when >>users of different projects create files and >>> they are read/write for all members of domain users. The only way around >>> this is to use >>the SGID on the folder to inherit the project group. > > Hi, > > I've been looking at this again and found that the primary gid is read > from the users primary windows group, not the one set in the UNIX > attributes tab which is added by registering nisprop.dll. > > To change the windows primary group go to the "Member Of" tab in ADUC, > highlight the group and click "Set Primary Group", for example I set > user test to have domain admins as primary group: > > uid=10009(test) gid=10010(domain_admins) > groups=10010(domain_admins),10000(domain_users) > > The Primary group name/GID in UNIX Attributes seems to be unused by > winbind with sfu/rfc2307. > > I have noticed other strange things with the UNIX Attributes tab, for > example adding a user to a group through the unix attribs tab or > "member of" tab does not result in the user being listed as a member > of the group in the Members section of the UNIX Attributes tab when > viewing the group properties, its as if the unix gids for a given user > and uid's which are members of a given group are stored seperately. > > I'm going to read up on the Microsoft documentation for SFU... > > Note that after making changes like this it is necessary to remove > cache files before the change is reflected, I usually remove all files > in /var/lib/samba and /var/cache/samba and then rejoin the machine to > the domain to make sure nothing is cached. It seems strange that this > is necessary, caching is a good thing but when would changes be > reflected if the cache files were never removed? > > It would be nice to know exactly how this is supposed to work as its > not completely clear to me if this is a bug or not. > > Andy >
Looks like this is expected behavior http://readlist.com/lists/lists.samba.org/samba/1/6417.html The documentation does sort of mention this at http://wiki.samba.org/index.php/Samba_&_Active_Directory "You must make sure that the primary group of the Unix users in the AD is also Unix enabled (with a GID) (A user whose primary group is not also a Unix group will not show up on Unix at all !) " But it is not clear from that statement that primary group means primaryGroupID (windows primary group) NOT gidNumber (rfc2307) Andy -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba