[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

Rowland Penny rowlandpenny241155 at gmail.com
Thu Nov 12 14:13:20 UTC 2015 

On 12/11/15 13:48, mathias dufresne wrote:
> 2015-11-12 14:32 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 12/11/15 13:05, mathias dufresne wrote:
>>
>>>
>>>
>>> That's for that same reason I don't agree and think it is not fair to not
>>> give Samba admins the choice.
>>> If all my 120000 users have primary group id set to 100, as you said all
>>> newly created object onUNIX  shares will be owned by group n°100 and so
>>> accessible to the whole company.
>>>
>> This is the way windows works, you need to use windows ACLs to set just
>> who has access etc.
>>
>> I'm too thick to see where is the security improvement in that.
>> It works for windows.
>>
>>
>>> Let's imagine 2s that a company wants to manage these worlds a little
>>> differently. If we are forced to use Windows primary group as UNIX primary
>>> group it seems to me difficult to manage these worlds differently.
>>>
>> If you are use a version of a windows product, you have to use it like a
>> windows product. Windows ACLs give you broader scope to allow access. On
>> Unix you have ugo, owner:group:others i.e. one owner:one group: the entire
>> Unix world. On Windows it is: possibly allow every windows user: possibly
>> every windows group, you can also deny access and you can inherit
>> permissions.
>>
>>
>>> And I don't feel like I'm asking something really new or inventing
>>> anything: Microsoft designed its own AD with something to store Windows
>>> users primary group then some guys thought (fought certainly) together to
>>> produce rfc2307 which, strangely, comes with its own primary group
>>> attribute for UNIX world.
>>>
>> RFC2307 was designed for ldap and then taken up by windows for SFU.
>>
>> Refusing us the possibility to use that gidNumber attribute is, in my own
>>> opinion, equal to say rfc2307 contains bad ideas, at least regarding this
>>> attribute gidNumber.
>>>
>>>
>> No, it is just an artifact that you do not need, all you need to do is
>> create a group in AD, give that group a gidNumber, add a user to the group
>> and that user will have that group as one of its Unix groups.
>
> Missed! Not by much, but still :)
>
> You speak to me as if you were teaching to a really-dumb-student beginning
> Linux system administration. Do you think I'm dumb or do you thin I begin
> playing sysadmin?

No, I think you are a Unix sysadmin lost in a windows AD world :-)

>
> One point you forgot here: the process you described is to give users
> secondary groups when we are speaking about primary group.

Yes, but in an AD world, there isn't really that much difference between 
a primary and a secondary group.

>
> You also forget in that process to specify I would need to force all my
> users to use "sg" command at login time for they switch one of their
> secondary group to the primary one. Because sometimes primary group in UNIX
> world is important.
>

Yes, in a UNIX world, you need to think in a windows way instead.

I give in, you go your way and I will go mine, there is very little 
chance we are going to agree on this.

Rowland

>>
>>

More information about the samba mailing list