[Samba] Winbind troubles

Jonathan Buzzard jonathan at buzzard.me.uk
Wed Jul 24 04:59:52 MDT 2013

On Wed, 2013-07-24 at 00:49 +0200, steve wrote:


> For the record, sssd pulls all it's info from AD.

I never said otherwise.

>  A user does not need a gidNumber, it is drawn from the
>  primaryGroupID.For Linux clients it is vital that whatever the
>  primaryGroupID is contains the gidNumber attribute. sssd does the
>  rest.

Hum, according to Rowland it uses the gidNumber in the users DN, though
his posted "proof" was flawed and it could have been coming from the
gidNumber of the users primary group just as Winbind does. I have
browsed the source code for sssd but it is not immediately obvious where
it is getting the info from. So which one does it really use?

>  I see that the classicupgrade retains the user gidNumber so
>  maybe we should  keep it in the DN of not only the primaryGroup but
>  also in the DN for new users too. For compatibility?  

Like I said best practice is probably to keep them the same. The thing
with RFC2307 is that it is for storing Unix attributes in LDAP and we
are talking about storing Unix attributes in AD which is not quite the
same thing. Ideally the gidNumber field in the users entry should be a
derived field similar to the memberOf fields.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list