[Samba] Use of gidNumber attribute in user entry

Brian Candler b.candler at pobox.com
Tue Nov 22 13:03:50 UTC 2016

On 21/11/2016 16:40, mathias dufresne wrote:
>>> (1) "samba-tool user add" has an option to set --gid-number. However,
>>> > >I can't see that this attribute is ever used. Can someone confirm if
>>> > >this is true?
>> >
>> >Not sure if it is ever really used, what I can say is, you do not need
>> >it.
>> >
> It is used when you are using which use it. Just an example: SSSD is
> configurable and you can tell that specific tool to use any LDAP attribute
> to set LINUX/UNIX users' primary group.
> This options should set in your user objects the field named gidNumber. I
> believe RFC2307 tells that gidNumber is default field for UNIX primary
This makes sense.

FYI, I have now tested using realmd+sssd, configured with 
"ldap_id_mapping = False" (which tells it to use the uidNumber and 
gidNumber from the directory).

The user is not found unless they have both uidNumber and gidNumber 
attributes set. The gidNumber is the primary group (AFAICS the Windows 
primary group isn't used). There does not even have to be any group in 
the directory with this gidNumber; if there isn't, you only see the 
number and not the name of the group.

So the answer is: winbind doesn't use the gidNumber attribute on the 
user entry, but this attribute can be set if you use different client 
software talking to your Samba server.

Thanks to both Mathias and Rowland for helping to clear this up.



More information about the samba mailing list