[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber

mathias dufresne infractory at gmail.com
Thu Nov 12 16:26:28 UTC 2015 

I fully understand on Linux system used to serve files to Windows clients
these servers should create users using the Windows way, for ACLs
compatibility and so on.
To achieve that, quiet simple: winbind to retrieve users from AD.

My point about gidNumber is when using AD as a database of users on UNIX
system, for UNIX stuffs.

2015-11-12 17:01 GMT+01:00 mathias dufresne <infractory at gmail.com>:

>
>
> 2015-11-12 15:13 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 12/11/15 13:48, mathias dufresne wrote:
>>
>>> 2015-11-12 14:32 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>>>
>>> On 12/11/15 13:05, mathias dufresne wrote:
>>>>
>>>>
>>>>>
>>>>> That's for that same reason I don't agree and think it is not fair to
>>>>> not
>>>>> give Samba admins the choice.
>>>>> If all my 120000 users have primary group id set to 100, as you said
>>>>> all
>>>>> newly created object onUNIX  shares will be owned by group n°100 and so
>>>>> accessible to the whole company.
>>>>>
>>>>> This is the way windows works, you need to use windows ACLs to set just
>>>> who has access etc.
>>>>
>>>> I'm too thick to see where is the security improvement in that.
>>>> It works for windows.
>>>>
>>>>
>>>> Let's imagine 2s that a company wants to manage these worlds a little
>>>>> differently. If we are forced to use Windows primary group as UNIX
>>>>> primary
>>>>> group it seems to me difficult to manage these worlds differently.
>>>>>
>>>>> If you are use a version of a windows product, you have to use it like
>>>> a
>>>> windows product. Windows ACLs give you broader scope to allow access. On
>>>> Unix you have ugo, owner:group:others i.e. one owner:one group: the
>>>> entire
>>>> Unix world. On Windows it is: possibly allow every windows user:
>>>> possibly
>>>> every windows group, you can also deny access and you can inherit
>>>> permissions.
>>>>
>>>>
>>>> And I don't feel like I'm asking something really new or inventing
>>>>> anything: Microsoft designed its own AD with something to store Windows
>>>>> users primary group then some guys thought (fought certainly) together
>>>>> to
>>>>> produce rfc2307 which, strangely, comes with its own primary group
>>>>> attribute for UNIX world.
>>>>>
>>>>> RFC2307 was designed for ldap and then taken up by windows for SFU.
>>>>
>>>> Refusing us the possibility to use that gidNumber attribute is, in my
>>>> own
>>>>
>>>>> opinion, equal to say rfc2307 contains bad ideas, at least regarding
>>>>> this
>>>>> attribute gidNumber.
>>>>>
>>>>>
>>>>> No, it is just an artifact that you do not need, all you need to do is
>>>> create a group in AD, give that group a gidNumber, add a user to the
>>>> group
>>>> and that user will have that group as one of its Unix groups.
>>>>
>>>
>>> Missed! Not by much, but still :)
>>>
>>> You speak to me as if you were teaching to a really-dumb-student
>>> beginning
>>> Linux system administration. Do you think I'm dumb or do you thin I begin
>>> playing sysadmin?
>>>
>>
>> No, I think you are a Unix sysadmin lost in a windows AD world :-)
>
>
> I'm not.
> I'm speaking from the beginning about gidNumber usage.
> As AD comes with all we need to manage Windows users, as gidNumber is part
> of RFC2307 which comes to manage UNIX users, I thought you would have been
> able from the beginning to understand I want to use AD features to host
> also UNIX users (in fact to have users in AD which are Windows and UNIX
> users).
>
> Perhaps you are a bit lost trying to be everywhere answering to every
> mails : )
>
>
>>
>>
>>
>>> One point you forgot here: the process you described is to give users
>>> secondary groups when we are speaking about primary group.
>>>
>>
>> Yes, but in an AD world, there isn't really that much difference between
>> a primary and a secondary group.
>
>
> AD is nothing if it is not used. I'm speaking about usage of its content.
> And usage of its content happen on different contexts. Could be users from
> some Web App, could user for Windows systems, UNIX systems and so much more
> I don't even heard about.
>
> Anyway, in UNIX primary group is important. Who's lost?
>
>
>>
>>
>>
>>> You also forget in that process to specify I would need to force all my
>>> users to use "sg" command at login time for they switch one of their
>>> secondary group to the primary one. Because sometimes primary group in
>>> UNIX
>>> world is important.
>>>
>>>
>> Yes, in a UNIX world, you need to think in a windows way instead.
>
>
> False. Why do you force me to say that to you every two days?
> In UNIX world I think UNIX. In UNIX world when I retrieve AD users I
> manage to create my UNIX users as my UNIX need to. And you know, this idea
> seems to me not so wrong as some guys have already developed all the tools
> I need to that.
> But I know you now Rowland. That's not your way of mind so me and all
> these guys are stupid, according to what you show.
>
>
>> I give in, you go your way and I will go mine, there is very little
>> chance we are going to agree on this.
>
>
> Yes please, speak to someone else :)
>
>
>>
>>
>> Rowland
>>
>>
>>
>>>>
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>

More information about the samba mailing list