[Samba] Winbind troubles

Rowland Penny rowlandpenny at googlemail.com
Tue Jul 23 10:10:46 MDT 2013

On 23 July 2013 16:44, Jonathan Buzzard <jonathan at buzzard.me.uk> wrote:

> You don't seem to have taken on board that primaryGroupID is a numerical
> identifier for an actual group. Now why Microsoft didn't use the group's
> SID I have not the faintest idea.
> I suppose that you have noticed that the primaryGroupID is the RID from
the group's SID and yes I had taken it on board.

> The number returned by primaryGroupID is only used by winbind to
> identify the primary group of the user. It then looks up the gidNumber
> for that group and returns that.
> Would it be a good idea for the user to have a different primary group
> in Windows land from Unix land? I tend to think that keeping them the
> same is a good idea and hence the way winbind does it has considerable
> merit. In particular you can use the Windows tools to change the primary
> group of the user and get expected results on both Windows and Unix.
> I would agree with you here, the users primary group needs to be the same
in windows & linux

> Basically adding a gidNumber to each user is a redundant feature of
> RFC2307.

Redundant it may be, but it is the way that windows wants it to be done.

> >
> >
> >         As such your example does not show what you think it does show
> >         because
> >         you have not shown the gidNumber of the group identified by
> >         primaryGroupID 513. I would say even if sssd uses the
> >         gidNumber of the
> >         user it would in my opinion be good practice to keep the
> >         gidNumber of
> >         the user the same as the gidNumber of the Windows primary
> >         group.
> >
> > So sorry, this is the gidNumber attribute from
> > dn: CN=Domain Users,CN=Users,DC=example,DC=com
> > gidNumber: 20513
> >
> >
> > As you can see, it is the same gidNumber that the user has.
> >
> But if the group identified by primaryGroupID 513 has gidNumber 20513
> (which would be in my opinion best practice) without looking in the
> source code of sssd you don't know whether sssd took the gidNumber of
> the user or took the primaryGroupID, and then looked up gidNumber of
> that group. As your example has not shown what the gidNumber of the
> group identified by primaryGroupID 513 it has not demonstrated what you
> claim it has demonstrated.
Does it matter, as long as the right answer is returned?

But for your information, sssd pulls ALL the information from the users
RFC2307 information, in fact it pulls more information than winbind.


More information about the samba mailing list