[Samba] using Windows AD unwanted Group rights get applied to new Files
Robert Marcano
robert at marcanoonline.com
Tue Aug 7 13:02:10 UTC 2018
On 08/07/2018 08:38 AM, Rowland Penny via samba wrote:
> On Tue, 7 Aug 2018 11:52:31 +0000
...
>
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config VHH : backend = ad
> idmap config VHH : schema_mode = rfc2307
> idmap config VHH : unix_nss_info = yes
> idmap config VHH : unix_primary_group = yes
> idmap config VHH : range = 10000-999999
>
> You would then need to give all your users a unique uidNumber attribute
> containing a number inside the range you set in smb.conf, you would
> also need to give the user a gidNumber attribute containing the
> gidNumber of the required group to use instead of 'Domain Users'.
>
> Rowland
>
Greetings, just making note for feature request that could help in the
future. One of the reasons we decided to use SSSD instead of winbind on
our domain members was the SSSD AD domain option:
auto_private_groups = True
That synthesize private groups for all domain users. Winbind with the
algorithmic mapping provided by the rid backend would have been
sufficient if it had an option like this one. We did not wanted to give
the Window domain admin too much power defining posix uid and gid
attributes on the Linux servers.
More information about the samba
mailing list