[Samba] winbind rfc2307 - wbinfo -i fails

Rowland Penny rpenny at samba.org
Sat Dec 10 10:44:09 UTC 2016


On Sat, 10 Dec 2016 09:44:44 +0000
Kevin Davidson via samba <samba at lists.samba.org> wrote:

> 
> > On 10 Dec 2016, at 09:23, Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > 
> > On Sat, 10 Dec 2016 09:07:13 +0000
> > Kevin Davidson via samba <samba at lists.samba.org
> > <mailto:samba at lists.samba.org>> wrote:
> > 
> >> 
> >> And note this newly highlighted section of the wiki, which deals
> >> with the UNIX admin’s potential desire to “fix” this problem that
> >> users' primary group is “wrong”.
> >> 
> >> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
> >> <https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites>
> > 
> > Care to expand on what is 'wrong' with it ???
> 
> 
> It’s not the Wiki that’s wrong. I was referring to this section from
> the earlier message:
> 
> > 
> > => In the case of winbind, the user entry's gidNumber is ignored.
> > The user's gid is taken from the user's primary Windows group
> > (which *must* have a gidNumber, otherwise the user is entirely
> > ignored by winbind)
> 
> This will become clear in testing with getent. No matter what group
> the admin has set as the primary group for a user it will stubbornly
> show up as Domain Users. To a typical UNIX admin’s eyes this
> behaviour is wrong and they may be tempted to “fix" this by removing
> users from Domain Users and putting them in a different Windows
> primary group to better match their own organisation’s org chart.
> Doing that is a very bad thing for Windows.

It is not so much the users 'primary group', it is the users 'Unix
primary group'. From a Unix perspective, a user can also have a
private user group, this is not allowed via AD. Any gidNumber added to
a user in AD is ignored by winbind, it goes for the 'primaryGroupID'
attribute and this is always set to '513' which is the Domain Users
group. You can change this, but it is not simple and there is no need
to do it and windows gets upset if you do.

> 
> In this case it sounds like sssd behaviour better matches the UNIX
> admin’s expectations, but there will always be compromises trying to
> merge together Windows and UNIX schemes. Maybe with Microsoft’s
> newfound love for Linux this will change in future...

How sssd does things isn't anything to do with Samba and may not be the
best way of doing things. As for microsoft, well I wouldn't hold my
breath ;-)

Rowland

> 
> 



More information about the samba mailing list