[Samba] Possible winbind bugs.

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 10 04:01:55 MDT 2014


On 10/07/14 10:27, steve wrote:
> On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
>> Dear All,
>>
>> I've found a strange behavior on Winbind + getent group
>>
>> If there are AD/winbind group didn't have any unix gid...
>> getent group will only show local group.
>>
>>
>> If all the AD/winbind group have unix gid
>> getent will reply with all the group I have included the AD/winbind group.
>>
>> Did we have any bugs reported on this?
>>
>> Thank You.
> Hi Chan
>
> Lots of confusion here.
>
> I don't think it's a bug because it would be reasonable to expect that
> if we wish domain groups to behave as posix groups, then we must play by
> posix rules and include a gid. Otherwise nss knows nothing about them.
>
> As we understand, must haves:
> Domain groups: gidNumber
> Domain users: uidNumber and gidNumber
Hi, I thought that, until it was pointed out that if you use winbind, 
the users gidNumber is ignored and windbind pulls the gidnumber directly 
from the primary group.

So yes, the users primary group must have a gidNumber, but the user does 
not need this added.

Rowland

>
> The latter must be the gidNumber corresponding to the primaryGroupID for
> the user.
>
> As the default group for all new users is Domain Users, then make sure a
> miniumum of that group has a gidNumber.
> Test:
> id user
> getent group  <domain group>
> getent passwd user
> groups user
>
> If ANY of those fail to return they will not behave correctly.
> HTH
> Steve
>
>



More information about the samba mailing list