[Samba] Is Samba unable to resolve secodary group membership?
harald+samba at arcada.fi
Thu Oct 8 10:24:54 UTC 2020
On Thu, 8 Oct 2020, Michael Schwarz via samba wrote:
> Am 08.10.20 um 10:41 schrieb Rowland penny via samba:
>> On 08/10/2020 08:51, Michael Schwarz via samba wrote:
>>> The setup at our university is not quite trivial. I can understand that.
>>> I'll try to explain it again in a different way:
>> Lets see if I understand this, you have one kerberos domain for the Linux
>> machines and another kerberos domain for the Windows machines, you have
>> virtually the same users and groups in both. Why two domains, why not just
>> use the AD for both ? This would make your setup trivial. I feel this is
>> probably all down to department politics.
> Yes this is correct. I'm not sure why there are two domains. I'm not working
> at the central computer center, but i'm sure, they have their reasons why
> they are doing it this way. We are only using this infrastructure. The LDAP
> is storing much more information than only simple posixAccounts. It might be,
> that an AD is not so flexible if you want to store more than the standard
> attributes. But i don't now in detail as i am not so familiar with windows ad
This sounds much like our University of Applied Sciences where we have been
running Samba+OpenLDAP as a DC and a AD DS, both with the same users synced
by our IDM.
When the time came to do something to the Samba+OpenLDAP I didn't feel like
extending schemas in AD DS, but rather went the path of a Samba AD with
users synced from our IDM so they apparently share the same usernames,
albeit the domain part differs. username is not the same as AD\username .
The migration went fine, the only annoying thing being that people have to
enter their passwords at least once.
Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020
More information about the samba