Discussion:
[Samba] Change default GID of users
Bruno Vane
2013-08-27 15:14:23 UTC
Permalink
Hi all,

I'm using samba4 as DC and using ssh/nslcd/pam in some machines to lookup
ldap base in samba4 to allow access for users.
My question is, how can I set the default GID os users to "100", to match
the GID of group"users" in my linux machines? All users I create with ADUC
is getting UID "513". This machines are joined in the domain.

This is my groups:
root at samba:~# wbinfo -g
Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

This is GID's:
CORPORATIVO\Domain Admins:*:3000008:
CORPORATIVO\Domain Users:*:100:
CORPORATIVO\Domain Guests:*:3000012:
CORPORATIVO\Domain Computers:*:3000018:
CORPORATIVO\Domain Controllers:*:3000019:
CORPORATIVO\Schema Admins:*:3000007:
CORPORATIVO\Enterprise Admins:*:3000006:
CORPORATIVO\Group Policy Creator Owners:*:3000004:
CORPORATIVO\Read-Only Domain Controllers:*:3000020:
CORPORATIVO\DnsUpdateProxy:*:3000021:
CORPORATIVO\InternetLiberada:*:3000022:
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
steve
2013-08-27 16:27:13 UTC
Permalink
Post by Bruno Vane
Hi all,
I'm using samba4 as DC and using ssh/nslcd/pam in some machines to lookup
ldap base in samba4 to allow access for users.
My question is, how can I set the default GID os users to "100", to match
the GID of group"users" in my linux machines? All users I create with ADUC
is getting UID "513". This machines are joined in the domain.
Hi
Add the attribute:
gidNumber: 100
to the DN of Domain Users.

The easiest way to do that is to:
ldbedit --url=/user/local/samba/private/sam.ldb cn=Domain\ Users

HTH
Steve
Bruno Vane
2013-08-27 17:33:33 UTC
Permalink
Hi Steve,

I did what you said, and when create the user, nothing changes:

root at samba:~# getent passwd cobaia
cobaia:*:10004:513:cobaia:/home/cobaia:/bin/bash

root at samba:~# ldbedit -e vim --url=/usr/local/samba/private/sam.ldb
cn=Domain\ Users
# editing 1 records
# record 1
dn: CN=Domain Users,CN=Users,DC=corporativo,DC=mydomain,DC=net
objectClass: top
objectClass: group
cn: Domain Users
description: All domain users
instanceType: 4
whenCreated: 20130826181737.0Z
uSNCreated: 3541
name: Domain Users
objectGUID: 4989c94c-ecd0-46bc-acff-a3d702ee905b
objectSid: S-1-5-21-3289179821-1028934030-3478225505-513
sAMAccountName: Domain Users
sAMAccountType: 268435456
groupType: -2147483646
objectCategory:
CN=Group,CN=Schema,CN=Configuration,DC=corporativo,DC=mydomain,DC=net
isCriticalSystemObject: TRUE
memberOf: CN=Users,CN=Builtin,DC=corporativo,DC=mydomain,DC=net
msSFU30Name: Domain Users
gidNumber: 100
whenChanged: 20130827172912.0Z
uSNChanged: 3888
distinguishedName: CN=Domain
Users,CN=Users,DC=corporativo,DC=mydomain,DC=net



2013/8/27 steve <steve at steve-ss.com>
Post by steve
Post by Bruno Vane
Hi all,
I'm using samba4 as DC and using ssh/nslcd/pam in some machines to lookup
ldap base in samba4 to allow access for users.
My question is, how can I set the default GID os users to "100", to match
the GID of group"users" in my linux machines? All users I create with
ADUC
Post by Bruno Vane
is getting UID "513". This machines are joined in the domain.
Hi
gidNumber: 100
to the DN of Domain Users.
ldbedit --url=/user/local/samba/private/sam.ldb cn=Domain\ Users
HTH
Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
steve
2013-08-27 18:42:59 UTC
Permalink
Post by Bruno Vane
Hi Steve,
Hi
Sorry, you have to add:
gidNumber: 100
to the DN of each user too.

Make sure that you clear the nscd cache after making any change to AD.
Steve
Bruno Vane
2013-08-27 19:07:10 UTC
Permalink
Hi Steve,

Seems that this attribute does not matter, see my user "bruno.vane":
primaryGroupID: 513
gidNumber: 100

If I try to change the value of primaryGroupID I get an error:
Using:
root at samba:~# ldbedit -e vim --url=/usr/local/samba/private/sam.ldb
samaccountname=bruno.vane

failed to modify CN=Bruno Vane,CN=Users,DC=corporativo,DC=mydomain,DC=net -
error in module samldb: Unwilling to perform (53)
root at samba:~# ldbedit -e vim --url=/usr/local/samba/private/sam.ldb
samaccountname=bruno.vane
# 0 adds 0 modifies 0 deletes


2013/8/27 steve <steve at steve-ss.com>
Post by steve
Post by Bruno Vane
Hi Steve,
Hi
gidNumber: 100
to the DN of each user too.
Make sure that you clear the nscd cache after making any change to AD.
Steve
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
steve
2013-08-28 07:34:34 UTC
Permalink
Post by Bruno Vane
Hi Steve,
primaryGroupID: 513
gidNumber: 100
Hi

How are you obtaining the infromation from AD?
If you set:
gidNumber: 100
in the DN of a user, then that is what will be returned when e.g.
nss-ldapd is used. It will not return primaryGroupID unless you have
mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not
a rfc2307 atribute.
HTH
Bruno Vane
2013-08-29 14:11:24 UTC
Permalink
Thank you Steve,

I had this mapping in nslcd.conf
map passwd gidNumber primaryGroupID

I need the gidNumber to be "100" because this is gidnumber of group "users"
in my Ubuntu servers.
I will disable this mapping and test if everything is OK.


2013/8/28 steve <steve at steve-ss.com>
Post by steve
Post by Bruno Vane
Hi Steve,
primaryGroupID: 513
gidNumber: 100
Hi
How are you obtaining the infromation from AD?
gidNumber: 100
in the DN of a user, then that is what will be returned when e.g.
nss-ldapd is used. It will not return primaryGroupID unless you have
mapped that attribute to gidNumber in nslcd.conf. primaryGroupID is not
a rfc2307 atribute.
HTH
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
Marc Muehlfeld
2013-08-29 16:03:13 UTC
Permalink
Hello Bruno,
Post by Bruno Vane
I had this mapping in nslcd.conf
map passwd gidNumber primaryGroupID
I need the gidNumber to be "100" because this is gidnumber of group "users"
in my Ubuntu servers.
I will disable this mapping and test if everything is OK.
The mapping is not just for mapping one field to an other. You can
replace values, too or do other things (see manpage for more).

You can hardcode the mapping:

map passwd gidNumber "666"


# getent passwd
...
Administrator:*:10000:666::/home/Administrator:/bin/bash
technik:*:10001:666:Technik:/home/technik:/bin/false
demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh


And all your domain accounts have primary group 666 :-)


Regards,
Marc
Bruno Vane
2013-08-29 17:06:02 UTC
Permalink
Thank you Marc!


2013/8/29 Marc Muehlfeld <samba at marc-muehlfeld.de>
Post by Marc Muehlfeld
Hello Bruno,
I had this mapping in nslcd.conf
Post by Bruno Vane
map passwd gidNumber primaryGroupID
I need the gidNumber to be "100" because this is gidnumber of group "users"
in my Ubuntu servers.
I will disable this mapping and test if everything is OK.
The mapping is not just for mapping one field to an other. You can replace
values, too or do other things (see manpage for more).
map passwd gidNumber "666"
# getent passwd
...
Administrator:*:10000:666::/**home/Administrator:/bin/bash
technik:*:10001:666:Technik:/**home/technik:/bin/false
demo1:*:10002:666:Demo User1:/home/demo1:/bin/sh
And all your domain accounts have primary group 666 :-)
Regards,
Marc
--
Bruno Vane
HPM Tecnologia
(24) 9278-7195 / (24) 3345-0002
skype: broonu

www.zamix.com.br | www.superonda.com.br
Continue reading on narkive:
Loading...