[Samba] Possible winbind bugs.

Rowland Penny rowlandpenny at googlemail.com
Thu Jul 10 09:23:57 MDT 2014

On 10/07/14 15:58, Jonathan Buzzard wrote:
> On Thu, 2014-07-10 at 15:27 +0100, Rowland Penny wrote:
> [SNIP]
>> You can either, add a gidNumber to every AD group (not really a good
>> idea), run 'getent group <AD group name>' or use something else instead
>> of winbind.
> Why is adding a GID to every AD group not a good idea? I would take the
> view that if you are going to use AD for NSS on a Unix machine then it
> is a good idea/best practice to do so.
> The short of it is that your end users are not going to know which
> groups have a GID set and which don't so all sorts of issues can arise
> to bite you if they don't all have a GID.
> I would also take the view that the gidNumber in the users DN is the
> result of who ever wrote RFC2307 just seeing a bunch of Unix attributes
> and coming up with a schema for it rather than thinking how LDAP works
> and working out a way to provide the NSS information in a logically
> consistent way with LDAP. The Samba developers did the "right thing" and
> ignored daftness of the RFC.
> JAB.
OK, if you do 'wbinfo -g', you will get (among others), this:

Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers

Do you really think that your users need to know about all of the above?

As for RFC2307, there is enough in there to get an AD user recognised as 
a Unix user, what else do think is required?

Winbind on the Samba4 AD DC works differently, it does show all groups 
that have a gidNumber and ignores any that don't.


More information about the samba mailing list