[Samba] question about winbind rid idmaping

Ralph Boehme slow at samba.org
Fri Oct 30 11:42:21 UTC 2020

Am 10/29/20 um 3:05 PM schrieb Rowland penny via samba:
> Am 10/29/20 um 1:07 PM schrieb Ralph Boehme via samba:
>> On 29/10/2020 11:56, Andrew Walker wrote:
>>> Windows behaviour is for a group to be able to own files.
>> ...for exactly the same reason (plus others like supporting SID
>> history).
> Then it seems to be working in the wrong direction. it is turning a
> user into a group and a user can already 'own' things, both on Unix
> and Windows.

yes, for good reason. Because the primary SID of a user can turn into an
additional SID in the NT token as the result of domain migration. So in
order have existing ACEs work with SID history, every the users primary
SID is mapped to both a uid and gid, both is then added to the UNIX
token and when creating ACEs, the ACE will always be a groups ACE.

> If you use the winbind 'ad' backend, you get the choice of using a
> different group from the default Domain Users, what you do not get
> is a group with the same name as a user. From my point of view, there
> is absolutely no reason to use id_type_both on anything except a
> Samba AD DC and it would seem that 'rid' and 'autorid' forces this on
> you, whether you want it or not.

Certain semantics needed to behave like a Windows server can
only be implemented when using idmapping module that support id-type both.


Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20201030/ab7d6c9d/signature.sig>

More information about the samba mailing list