FreeNAS

Samba authentication using the 'ad' backend and gid user/group attributes worked in 9.10.2, but is broken in 11.1-U1 for users relying on the gidNumber LDAP attribute. It appears Samba was upgraded from 4.5.5 to 4.7.0 between 9.10.2 and 11.1-U1. The Samba wiki identifies a difference in the way that it handles groups starting in 4.6.0 (see https://wiki.samba.org/index.php/Idmap_config_ad#The_RFC2307_and_template_Mode_Options).

With Samba's new unix_primary_group default setting, the primaryGroupID attribute is used to determine the gid for users, and not the gidNumber. The primaryGroupID is set to the last part of the AD group's ObjectSid. The ObjectSid is read-only and cannot be modified which results in AD users not being recognized by Samba when their primary group's ObectSid falls outside the idmap config range.

Using the Web UI-generated /usr/local/etc/smb4.conf, my AD groups are presented via getent group because the gidNumber I assigned them falls within the idmap config range. My AD users are not presented via getent passwd since their primary group's ObjectSid falls outside the idmap config range. After adding idmap config MYDOMAIN: unix_primary_group = yes line to /usr/local/etc/smb4.conf and running /usr/local/etc/rc.d/samba_server restart, I can now see the AD users and assign permissions to them within FreeNAS.

It seems that this is largely a Samba issue, since with default settings Samba would seemingly break their own multi-domain integration with non-overlapping ranges due to arbitrarily assigned ObjectSid values. However, it would be extremely helpful if FreeNAS could guard against this issue by inserting MYDOMAIN: unix_primary_group = no into smb4.conf and providing a deterministic way to import users and groups from AD into FreeNAS.

Is it possible to get MYDOMAIN: unix_primary_group = no added to smb4.conf to accommodate the 'ad' backend? I'm willing to test other workarounds. Thanks!

PS: Please let me know if any of my assertions are incorrect. For my setup, I have multiple users and groups all configured with uidNumber, gidNumber, loginShell, and unixHomeDirectory attributes defined, added to the Global Catalog, etc. I'm using a "stock" Windows Server 2016 domain controller. Users and groups are defined, but no Group Policy, OUs, or anything fancy(TM).