[Samba] Samba4 Winbind - is it really not possible to be sensible?

Matthieu Patou mat at samba.org
Sat Jan 26 15:16:49 MST 2013

On 01/26/2013 12:49 PM, Rob McCorkell wrote:
> Thanks for the explanation - I wasn't thinking too much about multiple 
> domains, and I guess it would be an issue. A potential solution would 
> be to have offsets for each domain, specified in smb.conf? If I didn't 
> have too much on my plate already I would have a look at the mapping 
> code and attempt to write a solution myself.
Well I don't like the idea of having to set something in the smb.conf 
because it doesn't match with the idea of configure once and then forget it.
More importantly it will be very hard to make it work in our automated 
testsuite and not covering this part with tests is a recipe for a disaster.

> The 'solution' with the UID discrepancy between nslcd and Samba was to 
> feed back the nslcd UID back into Samba, then tell Samba to use those 
> UIDs instead. Oh, and while I am here I might as well bring a 
> particular bug to your attention - when Samba is set to use rfc2307, 
> but no uidNumber attribute exists for an object, the UID number gets 
> allocated. But once a uidNumber attribute is set, and the allocation 
> has already taken place, the allocated UID is used instead. I can't 
> imagine that this is the desired behaviour with rfc2307.
No that's not a bug but a secure approach (ihmo), because if samba needs 
to allocate that's either for checking access for a read or because the 
user is writing a file, if the user is writing a file it's very very 
wrong to change its UID/GID because it means that the UID/GID in the 
ACLs won't be correct and user might not be able to access/modify/delete 
its file.


Matthieu Patou
Samba Team

More information about the samba mailing list