Bug 13889 - samba-tool erroneously requires "--gid-number" etc on user creation
Summary: samba-tool erroneously requires "--gid-number" etc on user creation
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.2
Hardware: All All
: P5 trivial (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2019-04-05 15:27 UTC by Danny Milosavljevic
Modified: 2019-07-12 17:33 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Danny Milosavljevic 2019-04-05 15:27:03 UTC
We've set up two Samba domain controllers and a Samba file server and ran into some small nits and want to bring those up with you.

"samba-tool user create" requires these options:


We set up a samba file server using 

  winbind nss info = template


  idmap config XXX:backend = ad


We want to be able to assign the unix user id ourselves on the Samba AD.  This works by setting the attribute called "uidNumber" (via ldbmodify--which is kinda convoluted to use for that purpose) on the user node in the LDAP-like database.

However, the user node's "primaryGroup" attribute points to the RID of the primary group to use for that user.
And Samba File Server rightfully uses the attribute called "gidNumber" *of that group node* that was pointed to, not of the user node.

So why is "--gid-number" required on user creation?  It makes no sense to us.

Similarly, we want to be able to set up both the file server's home directory mapping and the shell *on the file server, not on the AD* because both depend on the file server in question.

Therefore, we set up "winbind nss info = template" and also specified

  template homedir = /data/disk1/home/%U
  template shell = /gnu/store/xbvwxf4k5njnb3hn93xwqlppjkiz4hdv-coreutils-8.27/bin/false

on the file server.  (these would be different on a different file server of that domain)

So far so good.

But why then is it mandatory to specify


when doing "samba-tool user create" on the DC?  It makes no sense to us.

Also, we get

                You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.

on the DC.  However, we think that this is misleading.  Better would be:

                You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' on your file servers in order to use those attributes for XID/SID-mapping.

Furthermore, I think that the config check right before emitting that message checks the DC's smb.conf (we run samba-tool there) - which definitely doesn't need such a setting.
Comment 1 Rowland Penny 2019-07-12 15:07:50 UTC
This isn't a bug because you do not have to specify any rfc2307 attributes when creating a user with samba-tool.

There is a bug which has never been fixed, if you specify '--nis-domain' you must specify the other rfc2307 attributes, but you can add individual rfc2307 attributes if you don't specify '--nis-domain'

Also, you can only set 'idmap_ldb:use rfc2307 = Yes' on a DC, it has no effect on a Unix domain member.

can I suggest you read the output of 'samba-tool user create --help'