[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Sep 14 17:45:48 UTC 2015
On 14/09/15 18:14, Jim Seymour wrote:
> On Mon, 14 Sep 2015 13:36:31 -0300
> Guilherme Boing <kolt+samba at frag.com.br> wrote:
>
>> Are you using nslcd by any chance ?
> [snip]
>
> Nope.
>
>
> On Mon, 14 Sep 2015 18:56:20 +0200
> buhorojo <buhorojo.lcb at gmail.com> wrote:
>
> [snip]
>> getent returns primaryGroupID, not gidNumber
> I can see that.
>
> So what is the point of gidNumber in a user's record if it does
> essentially nothing other than to take up space, possibly duplicate
> another entry (primaryGroupID) or possibly be misleading?
>
> Regards,
> Jim
OK, now you have got this far, I will drop the bomb on you, you *don't*
actually need the 'gidNumber' attribute for a user, you need it for
groups, but not users!
Group membership in AD is done by member/memberof attributes, you add a
'member' attribute containing the 'dn' of the user to the group object
and AD does the rest, if you go and examine the users object, you will
now find that a 'memberof' attribute containing the groups dn has been
added. The only exception to this rule is Domain Users, membership is
governed by the primaryGroupID attribute.
You allow access, read & write etc to files & directories with ACLs, if
the user trying to do something to a file or directory doesn't have an
ACL set, they will not be allowed to do whatever it was they tried.
Rowland
More information about the samba
mailing list