[Samba] winbind rfc2307 - wbinfo -i fails
Kevin Davidson
kevin at indigospring.co.uk
Sat Dec 10 09:44:44 UTC 2016
> On 10 Dec 2016, at 09:23, Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Sat, 10 Dec 2016 09:07:13 +0000
> Kevin Davidson via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>
>>
>> And note this newly highlighted section of the wiki, which deals with
>> the UNIX admin’s potential desire to “fix” this problem that users'
>> primary group is “wrong”.
>>
>> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites <https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites>
>
> Care to expand on what is 'wrong' with it ???
It’s not the Wiki that’s wrong. I was referring to this section from the earlier message:
>
> => In the case of winbind, the user entry's gidNumber is ignored. The user's gid is taken from the user's primary Windows group (which *must* have a gidNumber, otherwise the user is entirely ignored by winbind)
This will become clear in testing with getent. No matter what group the admin has set as the primary group for a user it will stubbornly show up as Domain Users. To a typical UNIX admin’s eyes this behaviour is wrong and they may be tempted to “fix" this by removing users from Domain Users and putting them in a different Windows primary group to better match their own organisation’s org chart. Doing that is a very bad thing for Windows.
In this case it sounds like sssd behaviour better matches the UNIX admin’s expectations, but there will always be compromises trying to merge together Windows and UNIX schemes. Maybe with Microsoft’s newfound love for Linux this will change in future...
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions
More information about the samba
mailing list