[Samba] using Windows AD unwanted Group rights get applied to new Files

Robert Marcano robert at marcanoonline.com
Tue Aug 7 13:02:10 UTC 2018

On 08/07/2018 08:38 AM, Rowland Penny via samba wrote:
> On Tue, 7 Aug 2018 11:52:31 +0000

>      idmap config *:backend = tdb
>      idmap config *:range = 2000-9999
>      idmap config VHH : backend = ad
>      idmap config VHH : schema_mode = rfc2307
>      idmap config VHH : unix_nss_info = yes
>      idmap config VHH : unix_primary_group = yes
>      idmap config VHH : range = 10000-999999
> You would then need to give all your users a unique uidNumber attribute
> containing a number inside the range you set in smb.conf, you would
> also need to give the user a gidNumber attribute containing the
> gidNumber of the required group to use instead of 'Domain Users'.
> Rowland

Greetings, just making note for feature request that could help in the 
future. One of the reasons we decided to use SSSD instead of winbind on 
our domain members was the SSSD AD domain option:

   auto_private_groups = True

That synthesize private groups for all domain users. Winbind with the 
algorithmic mapping provided by the rid backend would have been 
sufficient if it had an option like this one. We did not wanted to give 
the Window domain admin too much power defining posix uid and gid 
attributes on the Linux servers.

More information about the samba mailing list