[Samba] Winbind rid + SID History creating duplicate per-user groups

Josh Kelley joshkel at gmail.com
Tue Jul 29 15:15:53 MDT 2014


On Mon, Jul 28, 2014 at 11:42 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
> There is quite a lot of your smb.conf that is not really required any more,
> have a look here:
>
>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Thanks.  I'll work on cleaning it up.

> I do not think that winbind itself can create users and groups, simplifying
> things a lot, it just pulls info from somewhere, in this case the AD
> database, so if your users have a group with the same name as their
> username, somebody or something is creating them.

Maybe my choice of terminology was poor?  Winbind creates Unix users
and groups that correspond to the info that it pulls from Active
Directory.

After spending far too much time experimenting with old versions, I
discovered that winbind *does* create per-user groups (sometimes
referred to as "user private groups"), starting with 4.0.5.  More
info:

http://git.samba.org/?p=samba.git;a=commit;h=d2360fe56c860fa20051f6373eb2fcc3e4def6b6
https://lists.samba.org/archive/samba-technical/2013-July/093986.html

User private groups is apparently a feature and cannot be disabled.  I
don't know (or don't know the intricacies of user/group mapping and AD
compatibility well enough to understand) why it was added, but it
should generally be harmless for a Unix environment.

I believe that the fact that SID history can cause duplicate groups to
be created is a bug, and I've logged it at
https://bugzilla.samba.org/show_bug.cgi?id=10753.

Thanks for your help.

-- 
Josh Kelley


More information about the samba mailing list