[Samba] Possible winbind bugs.

Jonathan Buzzard jonathan at buzzard.me.uk
Thu Jul 10 08:58:24 MDT 2014

On Thu, 2014-07-10 at 15:27 +0100, Rowland Penny wrote:


> You can either, add a gidNumber to every AD group (not really a good 
> idea), run 'getent group <AD group name>' or use something else instead 
> of winbind.

Why is adding a GID to every AD group not a good idea? I would take the
view that if you are going to use AD for NSS on a Unix machine then it
is a good idea/best practice to do so.

The short of it is that your end users are not going to know which
groups have a GID set and which don't so all sorts of issues can arise
to bite you if they don't all have a GID.

I would also take the view that the gidNumber in the users DN is the
result of who ever wrote RFC2307 just seeing a bunch of Unix attributes
and coming up with a schema for it rather than thinking how LDAP works
and working out a way to provide the NSS information in a logically
consistent way with LDAP. The Samba developers did the "right thing" and
ignored daftness of the RFC.


Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list