[Samba] winbind: homeDirectory being ignored

Jonathan Buzzard jonathan at buzzard.me.uk
Wed Jun 25 09:54:00 MDT 2014


On Wed, 2014-06-25 at 11:10 +0100, Rowland Penny wrote:
> On 25/06/14 10:28, Brian Candler wrote:
> > On 24/06/2014 16:12, Rowland Penny wrote:
> >> Try adding 'unixHomeDirectory: /home/user7' to the users AD info
> >>
> >> 'homedirectory' & 'unixHomeDirectory' are different attributes. 
> > Thanks for all the help so far.
> >
> > Aside: I wrote an LDAP server library some years ago, so I understand 
> > some of the protocol internals. LDAP requires you to go to the trouble 
> > of defining a globally unique OID to identify every attribute - and 
> > then what actually gets sent on the wire is the text label, not the 
> > OID. Go figure.
> >
> > RFC2307 uses the label "homeDirectory" for OID 1.3.6.1.1.1.1.3. It 
> > seems that in AD you can put both "homeDirectory" and 
> > "unixHomeDirectory" attributes, which are treated as different 
> > attributes in the database and on the wire, except they have the same 
> > OID. Yuk.
> This may be true of RFC2307, but not in AD, yes "unixHomeDirectory" has 
> the OID 1.3.6.1.1.1.1.3, but in AD "homeDirectory" has the OID 
> 1.2.840.113556.1.4.44.
> 
> >
> > To be fair, RFC2307 is only an "experimental" RFC, and I don't think 
> > RFC2307bis was ever finalised.
> >
> > As for groups: RFC2307 hardly mentions groups at all (memberUid is 
> > just defined as an attribute, and that's it).
> >
> > Does anyone have any pointers to documentation about how Active 
> > Directory maps Unix gid and supplementary groups from LDAP entries and 
> > attributes? Because I'm having a hard time finding any. In particular, 
> > it seems to be using the gidNumber from the group object. But if a 
> > user is a member of multiple groups, how does it decide which is the 
> > primary group and which are supplementary groups?
> 
> The Unix users primary group is whatever you put as the 'gidNumber' , 
> after that it defaults to the windows way of doing things. If the 
> windows groups do not have a 'gidNumber' they have to be mapped to a 
> number that Unix understands, winbind does this with the idmap backend.
> 

Yes and no, winbind for reasons all unto itself (well it actually makes
some sense as the gidNumber attribute is redundant) uses the
primaryGroupID, and pulls the GID for this group completely ignoring the
gidNumber of the user. On the otherhand sssd I believe uses the
gidNumber of the user.

Personally I think it is best practice to get the users gidNumber the
same as the GID of the users primaryGroupID for consistency.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.




More information about the samba mailing list