[Samba] Why is Samba4 not recommended as a file server?

Rowland penny rpenny at samba.org
Thu Jul 28 13:28:32 UTC 2016 

On 28/07/16 13:59, Jim Seymour wrote:
> On Thu, 28 Jul 2016 13:15:43 +0100
> Rowland penny <rpenny at samba.org> wrote:
>
> [snip]
>> Yes it does sound strange, but, on windows, groups can and do own
>> directories & files. An xidNumber is just that, a number, it is the
>> context in how that number is used that is important. If you give
>> Domain Admins a gidNumber attribute, then Domain Admins becomes just
>> a group, ...
> [snip]
>
> Hmmm...
>
> ----------------------------------------------------------------------
> $ ldapsearch -x -ZZZ -b 'ou=Groups,dc=example,dc=com' 'cn=Domain Admins'
> # extended LDIF
> #
> # LDAPv3
> # base <ou=Groups,dc=example,dc=com> with scope subtree
> # filter: cn=Domain Admins
> # requesting: ALL
> #
>
> # Domain Admins, Groups, example.com
> dn: cn=Domain Admins,ou=Groups,dc=example,dc=com
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: Domain Admins
> gidNumber: 512
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-3861070848-2803670205-3675378528-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> $ ldapmodify -x -ZZZ -W -D 'cn=admin,dc=example,dc=com'
> Enter LDAP Password:
> dn: cn=Domain Users,ou=Groups,dc=example,dc=com
> changetype: modify
> delete: gidNumber
> modifying entry "cn=Domain Users,ou=Groups,dc=example,dc=com"
> ^D
> ldap_modify: Object class violation (65)
>          additional info: object class 'posixGroup' requires attribute
>          'gidNumber'
>
> ----------------------------------------------------------------------
>
> To me this implies that "posixGroup"s and an AD are incompatible?
>
> (N.B.: I'm only posting this to satisfy my curiousity, not for any
> practical reason.)
>
> Regards,
> Jim

Two things here, I was talking AD and your ldif is from an NT4-style 
ldap domain and in AD you don't need to explicitly set the posixGroup 
objectClass.

Rowland

More information about the samba mailing list