[Samba] Group members via LDAP
Troels Arvin
troels at arvin.dk
Wed Feb 8 22:32:23 UTC 2023
Hello,
Rowland Penny wrote:
> Why was the primaryGroupID changed ?
That must be a consequence of the users not having "Domain Users" as
primary group.
> If you are running a Samba AD DC on Fedora using the Fedora Samba
> packages, then you are using MIT kerberos, which Samba has marked at
> experimental.
Ah, OK. This particular setup is not an important production
installation. It's a setup to learn what is likely to be possible in a
production setup in the future.
>> The LDAP client is also Fedora 37, Samba client version also 4.17.5;
>> this host is joined to the Samba AD domain using "realm join ...".
>
> This is, in my opinion, the wrong way of joining, you should have used
> 'net ads join'.
I thought "realm" does more, when you want the Linux host to be well
integrated into the AD using SSSD. I could be wrong.
> Where are the shares ?
The DC server has no shares. There is another server in the setup which
exports directories in the form of NFS and SMB shares.
> I will not comment until I know why you have removed everyone from
> Domain Users, there is probably a good idea why this was done, but I
> cannot think of one.
In the setup, there are some Linux hosts joined with the AD. On the
Linux host, it's nicer to have a simple, short, non-space-containing
group name as the primary group, I thought. But if it results in all
sorts of trouble, then I suppose it was a mistake.
As you may have seen in another mail in this thread, I've found a way to
get a complete member list, even though it requires me to iterate
through all groups explicitly asking for primaryGroupToken.
--
Regards,
Troels Arvin
More information about the samba
mailing list