[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

mathias dufresne infractory at gmail.com
Thu Nov 12 13:48:16 UTC 2015 

2015-11-12 14:32 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:

> On 12/11/15 13:05, mathias dufresne wrote:
>
>>
>>
>>
>> That's for that same reason I don't agree and think it is not fair to not
>> give Samba admins the choice.
>> If all my 120000 users have primary group id set to 100, as you said all
>> newly created object onUNIX  shares will be owned by group n°100 and so
>> accessible to the whole company.
>>
>
> This is the way windows works, you need to use windows ACLs to set just
> who has access etc.
>
> I'm too thick to see where is the security improvement in that.
>>
>
> It works for windows.
>
>
>>
>> Let's imagine 2s that a company wants to manage these worlds a little
>> differently. If we are forced to use Windows primary group as UNIX primary
>> group it seems to me difficult to manage these worlds differently.
>>
>
> If you are use a version of a windows product, you have to use it like a
> windows product. Windows ACLs give you broader scope to allow access. On
> Unix you have ugo, owner:group:others i.e. one owner:one group: the entire
> Unix world. On Windows it is: possibly allow every windows user: possibly
> every windows group, you can also deny access and you can inherit
> permissions.
>
>
>> And I don't feel like I'm asking something really new or inventing
>> anything: Microsoft designed its own AD with something to store Windows
>> users primary group then some guys thought (fought certainly) together to
>> produce rfc2307 which, strangely, comes with its own primary group
>> attribute for UNIX world.
>>
>
> RFC2307 was designed for ldap and then taken up by windows for SFU.
>
> Refusing us the possibility to use that gidNumber attribute is, in my own
>> opinion, equal to say rfc2307 contains bad ideas, at least regarding this
>> attribute gidNumber.
>>
>>
> No, it is just an artifact that you do not need, all you need to do is
> create a group in AD, give that group a gidNumber, add a user to the group
> and that user will have that group as one of its Unix groups.


Missed! Not by much, but still :)

You speak to me as if you were teaching to a really-dumb-student beginning
Linux system administration. Do you think I'm dumb or do you thin I begin
playing sysadmin?

One point you forgot here: the process you described is to give users
secondary groups when we are speaking about primary group.

You also forget in that process to specify I would need to force all my
users to use "sg" command at login time for they switch one of their
secondary group to the primary one. Because sometimes primary group in UNIX
world is important.


>
>
> Rowland
>
> That's exactly what I'm asking for months now and I deeply regret to not be
>> better in development, I would have tried to help more (I tried but these
>> tries just show me how much deep are my lacks of knowledge). And yes I'm
>> asking for options, to give us choice. I don't say the choices made until
>> now by Samba are wrong, I ask for options, for we can make different
>> choices.
>>
>> Best regards,
>>
>> mathias
>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list