The Samba-Bugzilla – Bug 13889
samba-tool erroneously requires "--gid-number" etc on user creation
Last modified: 2019-04-05 15:27:03 UTC
We've set up two Samba domain controllers and a Samba file server and ran into some small nits and want to bring those up with you.
"samba-tool user create" requires these options:
We set up a samba file server using
winbind nss info = template
idmap config XXX:backend = ad
We want to be able to assign the unix user id ourselves on the Samba AD. This works by setting the attribute called "uidNumber" (via ldbmodify--which is kinda convoluted to use for that purpose) on the user node in the LDAP-like database.
However, the user node's "primaryGroup" attribute points to the RID of the primary group to use for that user.
And Samba File Server rightfully uses the attribute called "gidNumber" *of that group node* that was pointed to, not of the user node.
So why is "--gid-number" required on user creation? It makes no sense to us.
Similarly, we want to be able to set up both the file server's home directory mapping and the shell *on the file server, not on the AD* because both depend on the file server in question.
Therefore, we set up "winbind nss info = template" and also specified
template homedir = /data/disk1/home/%U
template shell = /gnu/store/xbvwxf4k5njnb3hn93xwqlppjkiz4hdv-coreutils-8.27/bin/false
on the file server. (these would be different on a different file server of that domain)
So far so good.
But why then is it mandatory to specify
when doing "samba-tool user create" on the DC? It makes no sense to us.
Also, we get
You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' to use those attributes for XID/SID-mapping.
on the DC. However, we think that this is misleading. Better would be:
You are setting a Unix/RFC2307 UID or GID. You may want to set 'idmap_ldb:use rfc2307 = Yes' on your file servers in order to use those attributes for XID/SID-mapping.
Furthermore, I think that the config check right before emitting that message checks the DC's smb.conf (we run samba-tool there) - which definitely doesn't need such a setting.