[Samba] Winbind troubles

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 23 08:23:50 MDT 2013

On 23 July 2013 15:04, Jonathan Buzzard <jonathan at buzzard.me.uk> wrote:

> Not what I said. The primaryGroupID is an identifier for a group in AD,
> bit like a SID is (I don't get that either). So primaryGroupID 513 might
> refer to a group called sambausers, which has a it's own set of
> RFC2307bis attributes which include a gidNumber. Winbind uses the
> gidNumber of the primaryGroupID, not the primaryGroupID itself which is
> something entirely different.

As I said sssd uses the users gidNumber not the primaryGroupID, I may be
wrong but I believe
that the primaryGroupID is a windows thing and as such should be ignored by
winbind if it is
instructed to use rfc2307 attributes, but that is just my opinion

> As such your example does not show what you think it does show because
> you have not shown the gidNumber of the group identified by
> primaryGroupID 513. I would say even if sssd uses the gidNumber of the
> user it would in my opinion be good practice to keep the gidNumber of
> the user the same as the gidNumber of the Windows primary group.

So sorry, this is the gidNumber attribute from
dn: CN=Domain Users,CN=Users,DC=example,DC=com
gidNumber: 20513

As you can see, it is the same gidNumber that the user has.

If you want my opinion and you probably don't, people need to stop thinking
NT server if they connect to a samba4 AD server and start thinking AD
server, they are totally different.


More information about the samba mailing list