[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
rowlandpenny241155 at gmail.com
Thu Nov 12 13:32:25 UTC 2015
On 12/11/15 13:05, mathias dufresne wrote:
> That's for that same reason I don't agree and think it is not fair to not
> give Samba admins the choice.
> If all my 120000 users have primary group id set to 100, as you said all
> newly created object onUNIX shares will be owned by group n°100 and so
> accessible to the whole company.
This is the way windows works, you need to use windows ACLs to set just
who has access etc.
> I'm too thick to see where is the security improvement in that.
It works for windows.
> Let's imagine 2s that a company wants to manage these worlds a little
> differently. If we are forced to use Windows primary group as UNIX primary
> group it seems to me difficult to manage these worlds differently.
If you are use a version of a windows product, you have to use it like a
windows product. Windows ACLs give you broader scope to allow access. On
Unix you have ugo, owner:group:others i.e. one owner:one group: the
entire Unix world. On Windows it is: possibly allow every windows user:
possibly every windows group, you can also deny access and you can
> And I don't feel like I'm asking something really new or inventing
> anything: Microsoft designed its own AD with something to store Windows
> users primary group then some guys thought (fought certainly) together to
> produce rfc2307 which, strangely, comes with its own primary group
> attribute for UNIX world.
RFC2307 was designed for ldap and then taken up by windows for SFU.
> Refusing us the possibility to use that gidNumber attribute is, in my own
> opinion, equal to say rfc2307 contains bad ideas, at least regarding this
> attribute gidNumber.
No, it is just an artifact that you do not need, all you need to do is
create a group in AD, give that group a gidNumber, add a user to the
group and that user will have that group as one of its Unix groups.
> That's exactly what I'm asking for months now and I deeply regret to not be
> better in development, I would have tried to help more (I tried but these
> tries just show me how much deep are my lacks of knowledge). And yes I'm
> asking for options, to give us choice. I don't say the choices made until
> now by Samba are wrong, I ask for options, for we can make different
> Best regards,
More information about the samba