[Samba] winbind: homeDirectory being ignored

[Rowland Penny]

On 25/06/14 16:54, Jonathan Buzzard wrote:
> On Wed, 2014-06-25 at 11:10 +0100, Rowland Penny wrote:
>> On 25/06/14 10:28, Brian Candler wrote:
>>> On 24/06/2014 16:12, Rowland Penny wrote:
>>>> Try adding 'unixHomeDirectory: /home/user7' to the users AD info
>>>>
>>>> 'homedirectory' & 'unixHomeDirectory' are different attributes.
>>> Thanks for all the help so far.
>>>
>>> Aside: I wrote an LDAP server library some years ago, so I understand
>>> some of the protocol internals. LDAP requires you to go to the trouble
>>> of defining a globally unique OID to identify every attribute - and
>>> then what actually gets sent on the wire is the text label, not the
>>> OID. Go figure.
>>>
>>> RFC2307 uses the label "homeDirectory" for OID 1.3.6.1.1.1.1.3. It
>>> seems that in AD you can put both "homeDirectory" and
>>> "unixHomeDirectory" attributes, which are treated as different
>>> attributes in the database and on the wire, except they have the same
>>> OID. Yuk.
>> This may be true of RFC2307, but not in AD, yes "unixHomeDirectory" has
>> the OID 1.3.6.1.1.1.1.3, but in AD "homeDirectory" has the OID
>> 1.2.840.113556.1.4.44.
>>
>>> To be fair, RFC2307 is only an "experimental" RFC, and I don't think
>>> RFC2307bis was ever finalised.
>>>
>>> As for groups: RFC2307 hardly mentions groups at all (memberUid is
>>> just defined as an attribute, and that's it).
>>>
>>> Does anyone have any pointers to documentation about how Active
>>> Directory maps Unix gid and supplementary groups from LDAP entries and
>>> attributes? Because I'm having a hard time finding any. In particular,
>>> it seems to be using the gidNumber from the group object. But if a
>>> user is a member of multiple groups, how does it decide which is the
>>> primary group and which are supplementary groups?
>> The Unix users primary group is whatever you put as the 'gidNumber' ,
>> after that it defaults to the windows way of doing things. If the
>> windows groups do not have a 'gidNumber' they have to be mapped to a
>> number that Unix understands, winbind does this with the idmap backend.
>>
> Yes and no, winbind for reasons all unto itself (well it actually makes
> some sense as the gidNumber attribute is redundant) uses the
> primaryGroupID, and pulls the GID for this group completely ignoring the
> gidNumber of the user. On the otherhand sssd I believe uses the
> gidNumber of the user.
>
> Personally I think it is best practice to get the users gidNumber the
> same as the GID of the users primaryGroupID for consistency.
>
>
> JAB.
>
Well you live and learn, I could have sworn that a user had to have a 
gidNumber for winbind to work, but just tested it and found that it 
works with out one. Mind you, it is entirely possible that I got 
confused and it is the group that has to have a gidNumber.

Rowland