[Samba] question about winbind rid idmaping

Rowland penny rpenny at samba.org
Thu Oct 29 14:05:31 UTC 2020

On 29/10/2020 13:32, Ralph Boehme wrote:
> Am 10/29/20 um 1:07 PM schrieb Rowland penny via samba:
>> On 29/10/2020 11:56, Andrew Walker wrote:
>>> Several of the idmap backends (including idmap_rid) in samba support
>>> id_type_both (the ID is both a user and a group). This is ultimately
>>> needed for accurately producing Windows-style behavior regarding
>>> permissions (where a group can be the owner of a file). Without
>>> knowing the details of the ACL module, the best path forward would be
>>> for you to figure out how to maintain windows-like behavior.
>> The only place that I have found id_type_both to be used, is in
>> idmap.ldb on a Samba AD DC.
> it's also supported by a bunch of idmap modules including rid and
> autorid, but not ad ...
>> Windows behaviour is for a group to be able
>> to own files.
> ...for exactly the same reason (plus others like supporting SID history).
> -slow
Then it seems to be working in the wrong direction. it is turning a user 
into a group and a user can already 'own' things, both on Unix and 
Windows.If you use the winbind 'ad' backend, you get the choice of using 
a different group from the default Domain Users, what you do not get is 
a group with the same name as a user. From my point of view, there is 
absolutely no reason to use id_type_both on anything except a Samba AD 
DC and it would seem that 'rid' and 'autorid' forces this on you, 
whether you want it or not.

This in my opinion needs a different approach, no Unix user needs a 
usergroup in AD.


More information about the samba mailing list