[Samba] winbind behavior question

Rowland Penny rpenny at samba.org
Mon Jul 23 09:02:11 UTC 2018


On Mon, 23 Jul 2018 16:46:50 +0800
d tbsky <tbskyd at gmail.com> wrote:

> 2018-07-23 16:04 GMT+08:00 Rowland Penny via samba
> <samba at lists.samba.org>:


> >> >>>    idmap config SAMDOM:range = 1000-999999

> >>    idmap config SAMDOM:unix_primary_group = yes
> >
> > That isn't a bug, it is a feature ;-)
> > Before 4.6.0 everyone got 'Domain Users' as their primary Unix
> > group, but from 4.6.0, you can give users a gidNumber attribute
> > and, with the line above, this will be used for the users primary
> > Unix group. Whatever gidNumber is used, this must point to a group
> > i.e. the group must have the same gidNumber.
> > If the line doesn't exist, it falls back to using Domain Users, so
> > Domain Users must have a gidNUmber.
> >
> > Rowland
> 
> Hi:
>     yes I like this feature and from now on I will use this feature.
> but unfortunately the fall back (default setting) is not working.
> I think it is a bug because " idmap config SAMDOM:unix_primary_group =
> no" is not working as expected, although I will never use that again.

That is the default setting and as such, the line doesn't need to be
there unless you want/need to set it to 'yes'
If it isn't set then Domain Users must have a gidNumber attribute
containing a number inside the range set in smb.conf, in your case
'1000-999999'
If a gidNumber isn't set in the users object (again inside the range)
and Domain users doesn't have a gidNumber, then all your users will be
ignored.

Rowland



More information about the samba mailing list