[Samba] Re: ldapsearch and getent passd/group with nss winbind differs

Andreas Ladanyi knuffiandy at web.de
Sat Aug 23 19:03:21 GMT 2008

Hay Jerry,

Gerald (Jerry) Carter schrieb:
> Hash: SHA1
> Andreas Ladanyi wrote:
>> Ok ! Could it be true this behavior is different between
>> "security=domain" and "security=ads" ?
>> Because we had to put the user to the group:
>> - first on windows side in ActiveFirectory
>> - second on unix site in AD in the tab "Members of"
>> so winbind 3.0.24 client recognise the group membership 
>> on unix side in "security=domain" mode.
>> Now we changed to Samba 3.0.31 with security=ads 
>> mode and the behavior is a bit different.
> You lost me here.  Maybe due to the fact that I accustomed
> to the Windows 2003 R2 Unix Attribute tab.  The only member
> of tab I see is to control the Windows group memberships.

The reason of my message is a litte confusion:

In general you are right ;-)

There is one "UNIX attribute" tab and one "Members Of" tab.

During some tests we discover the following facts

In "UNIX attribute" tab:

winbind is only interested in the UID field ->
in ldap tree the attribute "uidnumber".

The other attributes from "UNIX attribute" tab are written to ldap tree, 
but not used by winbind on linux side.

For example we set the following parameter in smb.conf:

winbind nss info = sfu

Of course we could define our own template bash/home with the "template 
home" and "template shell" parameter, but its better the "sfu" will 
work, so we would configure this parameter by the tab.

The "primary Group" is written to the ldap tree but not used by winbind 
on the unix side.

In "Members Of" tab:

In this tab you can choose a group from a list and there is a button you 
could set a Unix primary group by klicking. This will be read by winbind 
only. But this have no force to the primary group ID on the "UNIX 
attribute" tab.

What do you say ? Did we configure something wrong ? Is this the normal 
function ?


More information about the samba mailing list