[Samba] Why is Samba4 not recommended as a file server?
Rowland penny
rpenny at samba.org
Thu Jul 28 12:15:43 UTC 2016
On 28/07/16 11:53, mathias dufresne wrote:
>
>
> 2016-07-28 12:27 GMT+02:00 Rowland penny <rpenny at samba.org
> <mailto:rpenny at samba.org>>:
>
> On 28/07/16 10:32, mathias dufresne wrote:
>
> Can you explain why it would be an issue giving GID to "Domain
> Admins" group?
>
>
> This is because Domain Admins has to own group policies in sysvol,
> not as a group but as a user. If you give Domain Admins a
> gidNumber, it becomes purely a group, so it cannot own the group
> policies as a user.
>
> This need sounds very strange to me... Why a group would need to be
> considered as a user?
>
> I noticed earlier that groups are considered as users when it comes to
> sysvol's ACLs. I thought it was because Samba was treating with XID
> rather than UID and GID, and that use of XID is not precise enough to
> make difference between users and groups, so to be sure Samba was
> putting ACL on both sides (user ACL and group ACL). All that tought
> because Samba relies on idmap and in idmap.ldb there is no UID/GID but
> only XID.
>
> I don't think Windows clients are expecting to find groups in users'
> ACLs so I'm really wondering why that would be an issue...
>
Yes it does sound strange, but, on windows, groups can and do own
directories & files. An xidNumber is just that, a number, it is the
context in how that number is used that is important. If you give Domain
Admins a gidNumber attribute, then Domain Admins becomes just a group,
but if you examine Domain Admins object in idmap.ldb, you will find that
it is type 'ID_TYPE_BOTH'. This means that as far as Unix is concerned,
Domain Admins is both a user and a group, so it can own dirs & files.
Rowland
More information about the samba
mailing list