[Samba] Winbind troubles

steve steve at steve-ss.com
Tue Jul 23 16:49:56 MDT 2013

On Tue, 2013-07-23 at 23:21 +0100, Jonathan Buzzard wrote:
> On 23/07/13 17:10, Rowland Penny wrote:
> [SNIP]
> >
> >     But if the group identified by primaryGroupID 513 has gidNumber 20513
> >     (which would be in my opinion best practice) without looking in the
> >     source code of sssd you don't know whether sssd took the gidNumber of
> >     the user or took the primaryGroupID, and then looked up gidNumber of
> >     that group. As your example has not shown what the gidNumber of the
> >     group identified by primaryGroupID 513 it has not demonstrated what you
> >     claim it has demonstrated.
> >
> >
> > Does it matter, as long as the right answer is returned?
> >
> Only in that you gave an example that claimed to show that sssd used the 
> gidNumber from the users entry. The point I was making is that it did 
> not actually show that. What it showed was sssd returning a GID that 
> matched the gidNumber from the users entry which while close is not what 
> you claimed.
> > But for your information, sssd pulls ALL the information from the users
> > RFC2307 information, in fact it pulls more information than winbind.
> >
> Well then that sucks and I prefer the winbind method, because as far as 
> I am aware changing the Windows primary group (at least under 2003R2 and 
> 2008R2, not tested 2012 or Samba4) of a user has no effect on the users 
> gidNumber. As such it is inevitable that mistakes will be made, things 
> will get out of sync and stuff will break in odd not apparent ways.
> Reasons why winbind is better than sssd if you ask me :-)

Well, I don't think we're here to decide what is better and I don't
think we're helping the OP at all, rather serving to confuse:(

For the record, sssd pulls all it's info from AD. A user does not need a
gidNumber, it is drawn from the primaryGroupID. For Linux clients it is
vital that whatever the primaryGroupID is contains the gidNumber
attribute. sssd does the rest. I see that the classicupgrade retains the
user gidNumber so maybe we should  keep it in the DN of not only the
primaryGroup but also in the DN for new users too. For compatibility?

More information about the samba mailing list