[Samba] Possible winbind bugs.
Jonathan Buzzard
jonathan at buzzard.me.uk
Thu Jul 10 08:58:24 MDT 2014
On Thu, 2014-07-10 at 15:27 +0100, Rowland Penny wrote:
[SNIP]
> You can either, add a gidNumber to every AD group (not really a good
> idea), run 'getent group <AD group name>' or use something else instead
> of winbind.
Why is adding a GID to every AD group not a good idea? I would take the
view that if you are going to use AD for NSS on a Unix machine then it
is a good idea/best practice to do so.
The short of it is that your end users are not going to know which
groups have a GID set and which don't so all sorts of issues can arise
to bite you if they don't all have a GID.
I would also take the view that the gidNumber in the users DN is the
result of who ever wrote RFC2307 just seeing a bunch of Unix attributes
and coming up with a schema for it rather than thinking how LDAP works
and working out a way to provide the NSS information in a logically
consistent way with LDAP. The Samba developers did the "right thing" and
ignored daftness of the RFC.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba
mailing list