[Samba] idmap ad question
Rowland Penny
rpenny at samba.org
Tue Feb 14 07:35:12 UTC 2023
On 13/02/2023 22:53, Vaughan, Robert J via samba wrote:
>
>>> Were you running 'getent passwd' rather than 'getent passwd AUSERNAME' ?
>
> Yes, I am used to getting that output with getent on my UNIX LDAP system. As long as I can get it from wbinfo I suppose that works too.
Never understood why anyone requires all the users or groups on a
regular basis, just as long as the OS knows a user or group should be
enough.
As for wbinfo, that reads directly from AD and as such, using the 'ad'
idmap backend, doesn't mean all the users or groups are available on
Unix, only the ones with a uidNumber or gidNumber will be.
>
>>> To get all the users shown, you need 'winbind enum users = yes', but it
>>> isn't required and, as you have found out, it just slows things down.
>
> So, I don't think giving a gidNumber to 'domain users' did anything useful for me. All the AD users using UNIX or SAMBA have uidNumber and gidNumber set (along with homedir and shell) and the UNIX groups are all in AD too now. I don't plan to use the standard AD groups (or ones created by Windows admins) for UNIX or SAMBA purposes. Perhaps if I wasn't planning on assigning UID/GID using POSIX attributes or creating my own groups the 'domain users' becomes useful?
Then something appears to have changed, at one time, when using the 'ad'
idmap backend, you had to give Domain Users a gidNumber, even when using
'unix_primary_group = yes'. I also have never really understood why you
would use that setting, what is wrong with using Domain Users ? It isn't
as if you can have a user group with the same name as the user.
Rowland
More information about the samba
mailing list