idmap_ad group id mapping.
NIMRODS at il.ibm.com
Thu Jul 12 02:53:42 MDT 2012
Michael Adam <obnox at samba.org> wrote on 12/07/2012 01:20:57:
> Yes, this is actually how it should work:
> Samba takes the windows user token and turns it into
> a unix token. Here the expected thing is to turn the windows
> groups into unix groups (by id mapping) one-to-one.
> I would say that the windows admins should give the
> user a primary (windows) group that also carries a gidnumber
> unix attribute. I can't see why a windows admin would give
> the user a primary windows group (maybe w/o gid number) and
> primary gid number in the unix attributes that refers to a
> different windows group or to no windows group at all.
> But it seems to be a rather frequent request.
> If it is really important, then we could make it configurable
> to let samba choose the primary gid from the windows user
> sfu attributes as the unix primary gid.
I would say that the existing behavior is reasonable (as well as expecting
the user to enforce the gid value of the primary group) if the "primary
group name/GID" field was not there, right below the UID field. I, as a
user, was sure that this field would determine the GID. I believe this is
also what Microsoft expect from systems which are using this scheme
(otherwise, why is it there?), and from the perspective of a customer
which has large Active Directory, and want to allocate different GID to
different users, the existing behavior is error-prone while the second
approach ensures consistency.
More information about the samba-technical