[Samba] question about winbind rid idmaping
rpenny at samba.org
Thu Oct 29 14:05:31 UTC 2020
On 29/10/2020 13:32, Ralph Boehme wrote:
> Am 10/29/20 um 1:07 PM schrieb Rowland penny via samba:
>> On 29/10/2020 11:56, Andrew Walker wrote:
>>> Several of the idmap backends (including idmap_rid) in samba support
>>> id_type_both (the ID is both a user and a group). This is ultimately
>>> needed for accurately producing Windows-style behavior regarding
>>> permissions (where a group can be the owner of a file). Without
>>> knowing the details of the ACL module, the best path forward would be
>>> for you to figure out how to maintain windows-like behavior.
>> The only place that I have found id_type_both to be used, is in
>> idmap.ldb on a Samba AD DC.
> it's also supported by a bunch of idmap modules including rid and
> autorid, but not ad ...
>> Windows behaviour is for a group to be able
>> to own files.
> ...for exactly the same reason (plus others like supporting SID history).
Then it seems to be working in the wrong direction. it is turning a user
into a group and a user can already 'own' things, both on Unix and
Windows.If you use the winbind 'ad' backend, you get the choice of using
a different group from the default Domain Users, what you do not get is
a group with the same name as a user. From my point of view, there is
absolutely no reason to use id_type_both on anything except a Samba AD
DC and it would seem that 'rid' and 'autorid' forces this on you,
whether you want it or not.
This in my opinion needs a different approach, no Unix user needs a
usergroup in AD.
More information about the samba