[Samba] Winbind troubles

Jonathan Buzzard jonathan at buzzard.me.uk
Tue Jul 23 09:44:53 MDT 2013

On Tue, 2013-07-23 at 15:23 +0100, Rowland Penny wrote:
> On 23 July 2013 15:04, Jonathan Buzzard <jonathan at buzzard.me.uk>
> wrote:
>         Not what I said. The primaryGroupID is an identifier for a
>         group in AD,
>         bit like a SID is (I don't get that either). So primaryGroupID
>         513 might
>         refer to a group called sambausers, which has a it's own set
>         of
>         RFC2307bis attributes which include a gidNumber. Winbind uses
>         the
>         gidNumber of the primaryGroupID, not the primaryGroupID itself
>         which is
>         something entirely different.
> As I said sssd uses the users gidNumber not the primaryGroupID, I may
> be wrong but I believe that the primaryGroupID is a windows thing and
> as such should be ignored by winbind if it is instructed to use
> rfc2307 attributes, but that is just my opinion.

You don't seem to have taken on board that primaryGroupID is a numerical
identifier for an actual group. Now why Microsoft didn't use the group's
SID I have not the faintest idea.

The number returned by primaryGroupID is only used by winbind to
identify the primary group of the user. It then looks up the gidNumber
for that group and returns that.

Would it be a good idea for the user to have a different primary group
in Windows land from Unix land? I tend to think that keeping them the
same is a good idea and hence the way winbind does it has considerable
merit. In particular you can use the Windows tools to change the primary
group of the user and get expected results on both Windows and Unix.

Basically adding a gidNumber to each user is a redundant feature of

>         As such your example does not show what you think it does show
>         because
>         you have not shown the gidNumber of the group identified by
>         primaryGroupID 513. I would say even if sssd uses the
>         gidNumber of the
>         user it would in my opinion be good practice to keep the
>         gidNumber of
>         the user the same as the gidNumber of the Windows primary
>         group.
> So sorry, this is the gidNumber attribute from 
> dn: CN=Domain Users,CN=Users,DC=example,DC=com
> gidNumber: 20513
> As you can see, it is the same gidNumber that the user has.

But if the group identified by primaryGroupID 513 has gidNumber 20513
(which would be in my opinion best practice) without looking in the
source code of sssd you don't know whether sssd took the gidNumber of
the user or took the primaryGroupID, and then looked up gidNumber of
that group. As your example has not shown what the gidNumber of the
group identified by primaryGroupID 513 it has not demonstrated what you
claim it has demonstrated.

It might well be what you claim is true, it is just your example does
not demonstrate it to be conclusively the case.

> If you want my opinion and you probably don't, people need to stop
> thinking NT server if they connect to a samba4 AD server and start
> thinking AD server, they are totally different.

Absolutely. I think much of the Samba4 related stuff on this mailing
list would not be here if the users bothered to read a dummies guide to
AD at a minimum. If you don't have a good understanding of how AD works
then trying to setup a Samba4 AD domain controller is probably a bad


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list