[Samba] [Samba 4] Issues with uidNumber and gidNumber in AD for Linux clients

Fred F frederik.vogelsang at gmail.com
Thu Jan 24 06:32:38 MST 2013 

Thanks for your statement, Andrew. I know about winbind and we've used
it in the past, but I remember there were some issues when dealing
with POSIX ACLs and windbind.

Now while winbind might work in some environments, I think it would be
much nicer and cleaner to integrate Linux clients into a Samba AD
domain with "native" Linux tools. The PAM part is very easy and works
great already with Samba 4 and Linux clients using Kerberos. The only
somewhat troublesome part is the NSS information
(passwd/groups/shadow), which would also not really be an issue if
Samba 4 properly implemented separation between users and groups in
POSIX ACLs (#9521).

I guess I'll take a second look at winbind then.


Regards,
 Frederik

2013/1/24 Andrew Bartlett <abartlet at samba.org>:
> On Wed, 2013-01-23 at 18:29 +0100, Fred F wrote:
>> 2013/1/22 Gémes Géza <geza at kzsdabas.hu>:
>> > I don't agree, because users can be members of multiple groups, not just the
>> > group identified as their primary group
>> Well, yes. That is not the point. Users can still be members of
>> multiple groups (e.g. CN=Domain Admins,CN=Users,CN=DOMAIN), through
>> the "member" attributes of the AD/LDAP nodes, but the actual issue
>> here is that plain users do not show up in (CN=Domain
>> Users,CN=Users,CN=DOMAIN), because "Domain Users" is set as the
>> primary group directly. Additionally added groups show up on the Linux
>> side as well, just not the primary group (with my approach).
>>
>> Any other thoughts? Isn't this scenario one of the most common usage
>> scenarios ever? Serving both Windows and Linux? How come so little
>> information is available about Samba4 with Linux clients?
>
> That is because there isn't anything special about Samba 4.0 as an AD DC
> with Linux clients that hasn't already been done for a Windows AD
> domain.
>
> The Samba Team recommends winbind as the AD client to use on Linux,
> because it handles these and many other details much better than just
> nss_ldap.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>

More information about the samba mailing list