[Samba] question about winbind rid idmaping

Andrew Walker walker.aj325 at gmail.com
Thu Oct 29 11:56:29 UTC 2020

On Thu, Oct 29, 2020 at 7:21 AM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 29/10/2020 11:04, Andrea Cucciarre' via samba wrote:
> > Hello,
> >
> > I have just realized that winbind rid idmapping create the following
> > idmapping for user, below an example:
> >
> > # id HYPERFILE\\simone
> > *uid=11663*(HYPERFILE\simone) gid=10513(HYPERFILE\domain users)
> > groups=10513(HYPERFILE\domain
> > users),*11663*(HYPERFILE\simone),3011(BUILTIN\users)
> >
> > I'm confused about group mapping 11663(HYPERFILE\simone), winbind
> > created a mapping for a group that has same name and id as the user,
> > although such group doesn't exist in my AD domain.
> > This is causing issue in the ACL module that we are developing.
> > Does anybody know why winbind behave that way?
> No.
> I didn't think it could, the winbind 'rid' calculates the ID from the
> user or group RID and user & group names are unique. This means that you
> cannot have a user with the same name as a group, so you can only have
> one RID.
> The only thing that I know that can 'create' usergroups is sssd, so are
> you using this as well ?
> I think more info is required here, what OS ? What version of Samba ?
> Please post your smb.conf
> Rowland
> Several of the idmap backends (including idmap_rid) in samba support
id_type_both (the ID is both a user and a group). This is ultimately needed
for accurately producing Windows-style behavior regarding permissions
(where a group can be the owner of a file). Without knowing the details of
the ACL module, the best path forward would be for you to figure out how to
maintain windows-like behavior.

More information about the samba mailing list