[Samba] idmap ad question

Vaughan, Robert J vaughar2 at gdls.com
Tue Feb 14 11:41:24 UTC 2023

On 13/02/2023 22:53, Vaughan, Robert J via samba wrote:
>>> Were you running 'getent passwd' rather than 'getent passwd AUSERNAME' ?
> Yes, I am used to getting that output with getent on my UNIX LDAP system.  As long as I can get it from wbinfo I suppose that works too.

>>Never understood why anyone requires all the users or groups on a 
>>regular basis, just as long as the OS knows a user or group should be 
>>As for wbinfo, that reads directly from AD and as such, using the 'ad' 
>>idmap backend, doesn't mean all the users or groups are available on 
>>Unix, only the ones with a uidNumber or gidNumber will be.

>>> To get all the users shown, you need 'winbind enum users = yes', but it
>>> isn't required and, as you have found out, it just slows things down.
> So, I don't think giving a gidNumber to 'domain users' did anything useful for me.  All the AD users using UNIX or SAMBA have uidNumber and gidNumber set (along with homedir and shell) and the UNIX groups are >all in AD too now.  I don't plan to use the standard AD groups (or ones created by Windows admins) for UNIX or SAMBA purposes.  Perhaps if I wasn't planning on assigning UID/GID using POSIX attributes or creating >my own groups the 'domain users' becomes useful?

>>Then something appears to have changed, at one time, when using the 'ad' 
>>idmap backend, you had to give Domain Users a gidNumber, even when using 
>>'unix_primary_group = yes'. I also have never really understood why you 
>>would use that setting, what is wrong with using Domain Users ? It isn't 
>>as if you can have a user group with the same name as the user.

I am the UNIX admin and don't have a use for all domain users group since all domain users won't be UNIX (or SAMBA) users

What do you mean by "It isn't as if you can have a user group with the same name as the user"?  We currently do have group names in UNIX (local and in LDAP) that are the same as a user (not a real person, but a shared/admin type account for an application) - is there some problem for AD with that?  I thought all it cared about was the SID?


Robert Vaughan

This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information.  No one else may read, print, store, copy, forward or act in reliance on it or its attachments.  If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.

More information about the samba mailing list