[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Rowland Penny rowlandpenny241155 at gmail.com
Thu Nov 12 13:32:25 UTC 2015

On 12/11/15 13:05, mathias dufresne wrote:
> That's for that same reason I don't agree and think it is not fair to not
> give Samba admins the choice.
> If all my 120000 users have primary group id set to 100, as you said all
> newly created object onUNIX  shares will be owned by group n°100 and so
> accessible to the whole company.

This is the way windows works, you need to use windows ACLs to set just 
who has access etc.

> I'm too thick to see where is the security improvement in that.

It works for windows.

> Let's imagine 2s that a company wants to manage these worlds a little
> differently. If we are forced to use Windows primary group as UNIX primary
> group it seems to me difficult to manage these worlds differently.

If you are use a version of a windows product, you have to use it like a 
windows product. Windows ACLs give you broader scope to allow access. On 
Unix you have ugo, owner:group:others i.e. one owner:one group: the 
entire Unix world. On Windows it is: possibly allow every windows user: 
possibly every windows group, you can also deny access and you can 
inherit permissions.

> And I don't feel like I'm asking something really new or inventing
> anything: Microsoft designed its own AD with something to store Windows
> users primary group then some guys thought (fought certainly) together to
> produce rfc2307 which, strangely, comes with its own primary group
> attribute for UNIX world.

RFC2307 was designed for ldap and then taken up by windows for SFU.

> Refusing us the possibility to use that gidNumber attribute is, in my own
> opinion, equal to say rfc2307 contains bad ideas, at least regarding this
> attribute gidNumber.

No, it is just an artifact that you do not need, all you need to do is 
create a group in AD, give that group a gidNumber, add a user to the 
group and that user will have that group as one of its Unix groups.


> That's exactly what I'm asking for months now and I deeply regret to not be
> better in development, I would have tried to help more (I tried but these
> tries just show me how much deep are my lacks of knowledge). And yes I'm
> asking for options, to give us choice. I don't say the choices made until
> now by Samba are wrong, I ask for options, for we can make different
> choices.
> Best regards,
> mathias

More information about the samba mailing list