[Samba] Is Samba unable to resolve secodary group membership?

Harald Hannelius harald+samba at arcada.fi
Thu Oct 8 10:24:54 UTC 2020

On Thu, 8 Oct 2020, Michael Schwarz via samba wrote:

> Am 08.10.20 um 10:41 schrieb Rowland penny via samba:
>> On 08/10/2020 08:51, Michael Schwarz via samba wrote:
>>> The setup at our university is not quite trivial. I can understand that. 
>>> I'll try to explain it again in a different way:
>> Lets see if I understand this, you have one kerberos domain for the Linux 
>> machines and another kerberos domain for the Windows machines, you have 
>> virtually the same users and groups in both. Why two domains, why not just 
>> use the AD for both ? This would make your setup trivial. I feel this is 
>> probably all down to department politics.
> Yes this is correct. I'm not sure why there are two domains. I'm not working 
> at the central computer center, but i'm sure, they have their reasons why 
> they are doing it this way. We are only using this infrastructure. The LDAP 
> is storing much more information than only simple posixAccounts. It might be, 
> that an AD is not so flexible if you want to store more than the standard 
> attributes. But i don't now in detail as i am not so familiar with windows ad 
> services.

This sounds much like our University of Applied Sciences where we have been 
running Samba+OpenLDAP as a DC and a AD DS, both with the same users synced 
by our IDM.

When the time came to do something to the Samba+OpenLDAP I didn't feel like 
extending schemas in AD DS, but rather went the path of a Samba AD with 
users synced from our IDM so they apparently share the same usernames, 
albeit the domain part differs. username is not the same as AD\username .

The migration went fine, the only annoying thing being that people have to 
enter their passwords at least once.


Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020

More information about the samba mailing list