idmap_ad group id mapping.

Nimrod Sapir NIMRODS at
Thu Jul 12 02:53:42 MDT 2012

Michael Adam <obnox at> wrote on 12/07/2012 01:20:57:

> Yes, this is actually how it should work:
> Samba takes the windows user token and turns it into
> a unix token. Here the expected thing is to turn the windows
> groups into unix groups (by id mapping) one-to-one.
> I would say that the windows admins should give the
> user a primary (windows) group that also carries a gidnumber
> unix attribute. I can't see why a windows admin would give
> the user a primary windows group (maybe w/o gid number) and
> primary gid number in the unix attributes that refers to a
> different windows group or to no windows group at all.
> But it seems to be a rather frequent request.
> If it is really important, then we could make it configurable
> to let samba choose the primary gid from the windows user
> sfu attributes as the unix primary gid.

I would say that the existing behavior is reasonable (as well as expecting 
the user to enforce the gid value of the primary group) if the "primary 
group name/GID" field was not there, right below the UID field. I, as a 
user, was sure that this field would determine the GID. I believe this is 
also what Microsoft expect from systems which are using this scheme 
(otherwise, why is it there?), and from the perspective of a customer 
which has large Active Directory, and want to allocate different GID to 
different users, the existing behavior is error-prone while the second 
approach ensures consistency. 

More information about the samba-technical mailing list