Add unix_primary_group and unix_nss_info to idmap_ad configuration to address how Samba now handles groups
Samba authentication using the 'ad' backend and gid user/group attributes worked in 9.10.2, but is broken in 11.1-U1 for users relying on the
gidNumber LDAP attribute. It appears Samba was upgraded from 4.5.5 to 4.7.0 between 9.10.2 and 11.1-U1. The Samba wiki identifies a difference in the way that it handles groups starting in 4.6.0 (see https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options).
With Samba's new
unix_primary_group default setting, the
primaryGroupID attribute is used to determine the gid for users, and not the
primaryGroupID is set to the last part of the AD group's
ObjectSid is read-only and cannot be modified which results in AD users not being recognized by Samba when their primary group's
ObectSid falls outside the
idmap config range.
Using the Web UI-generated /usr/local/etc/smb4.conf, my AD groups are presented via
getent group because the
gidNumber I assigned them falls within the
idmap config range. My AD users are not presented via
getent passwd since their primary group's
ObjectSid falls outside the
idmap config range. After adding
idmap config MYDOMAIN: unix_primary_group = yes line to /usr/local/etc/smb4.conf and running
/usr/local/etc/rc.d/samba_server restart, I can now see the AD users and assign permissions to them within FreeNAS.
It seems that this is largely a Samba issue, since with default settings Samba would seemingly break their own multi-domain integration with non-overlapping ranges due to arbitrarily assigned
ObjectSid values. However, it would be extremely helpful if FreeNAS could guard against this issue by inserting
MYDOMAIN: unix_primary_group = no into smb4.conf and providing a deterministic way to import users and groups from AD into FreeNAS.
Is it possible to get
MYDOMAIN: unix_primary_group = no added to smb4.conf to accommodate the 'ad' backend? I'm willing to test other workarounds. Thanks!
PS: Please let me know if any of my assertions are incorrect. For my setup, I have multiple users and groups all configured with uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined, added to the Global Catalog, etc. I'm using a "stock" Windows Server 2016 domain controller. Users and groups are defined, but no Group Policy, OUs, or anything fancy(TM).