[Samba] Is Samba unable to resolve secodary group membership?

Rowland penny rpenny at samba.org
Thu Oct 8 09:31:07 UTC 2020

On 08/10/2020 10:23, Michael Schwarz via samba wrote:
> Am 08.10.20 um 10:41 schrieb Rowland penny via samba:
>> On 08/10/2020 08:51, Michael Schwarz via samba wrote:
>>> The setup at our university is not quite trivial. I can understand 
>>> that. I'll try to explain it again in a different way:
>> Lets see if I understand this, you have one kerberos domain for the 
>> Linux machines and another kerberos domain for the Windows machines, 
>> you have virtually the same users and groups in both. Why two 
>> domains, why not just use the AD for both ? This would make your 
>> setup trivial. I feel this is probably all down to department politics.
> Yes this is correct. I'm not sure why there are two domains. I'm not 
> working at the central computer center, but i'm sure, they have their 
> reasons why they are doing it this way. We are only using this 
> infrastructure. The LDAP is storing much more information than only 
> simple posixAccounts. It might be, that an AD is not so flexible if 
> you want to store more than the standard attributes. But i don't now 
> in detail as i am not so familiar with windows ad services.

There are no posixAccounts in AD, there are just Accounts (but all the 
RFC2307 attributes are available, so any account can be a Unix account) 
and you will be surprised just how extendable the AD schema is. No, I 
think it is just down to politics, Windows versus Linux politics :-)


More information about the samba mailing list