Hello, I have just realized that winbind rid idmapping create the following idmapping for user, below an example: # id HYPERFILE\\simone *uid=11663*(HYPERFILE\simone) gid=10513(HYPERFILE\domain users) groups=10513(HYPERFILE\domain users),*11663*(HYPERFILE\simone),3011(BUILTIN\users) I'm confused about group mapping 11663(HYPERFILE\simone), winbind created a mapping for a group that has same name and id as the user, although such group doesn't exist in my AD domain. This is causing issue in the ACL module that we are developing. Does anybody know why winbind behave that way? Thanks Andrea
On 29/10/2020 11:04, Andrea Cucciarre' via samba wrote:> Hello, > > I have just realized that winbind rid idmapping create the following > idmapping for user, below an example: > > # id HYPERFILE\\simone > *uid=11663*(HYPERFILE\simone) gid=10513(HYPERFILE\domain users) > groups=10513(HYPERFILE\domain > users),*11663*(HYPERFILE\simone),3011(BUILTIN\users) > > I'm confused about group mapping 11663(HYPERFILE\simone), winbind > created a mapping for a group that has same name and id as the user, > although such group doesn't exist in my AD domain. > This is causing issue in the ACL module that we are developing. > Does anybody know why winbind behave that way?No. I didn't think it could, the winbind 'rid' calculates the ID from the user or group RID and user & group names are unique. This means that you cannot have a user with the same name as a group, so you can only have one RID. The only thing that I know that can 'create' usergroups is sssd, so are you using this as well ? I think more info is required here, what OS ? What version of Samba ? Please post your smb.conf Rowland
On Thu, Oct 29, 2020 at 7:21 AM Rowland penny via samba < samba at lists.samba.org> wrote:> On 29/10/2020 11:04, Andrea Cucciarre' via samba wrote: > > Hello, > > > > I have just realized that winbind rid idmapping create the following > > idmapping for user, below an example: > > > > # id HYPERFILE\\simone > > *uid=11663*(HYPERFILE\simone) gid=10513(HYPERFILE\domain users) > > groups=10513(HYPERFILE\domain > > users),*11663*(HYPERFILE\simone),3011(BUILTIN\users) > > > > I'm confused about group mapping 11663(HYPERFILE\simone), winbind > > created a mapping for a group that has same name and id as the user, > > although such group doesn't exist in my AD domain. > > This is causing issue in the ACL module that we are developing. > > Does anybody know why winbind behave that way? > > No. > > I didn't think it could, the winbind 'rid' calculates the ID from the > user or group RID and user & group names are unique. This means that you > cannot have a user with the same name as a group, so you can only have > one RID. > > The only thing that I know that can 'create' usergroups is sssd, so are > you using this as well ? > > I think more info is required here, what OS ? What version of Samba ? > Please post your smb.conf > > Rowland > > Several of the idmap backends (including idmap_rid) in samba supportid_type_both (the ID is both a user and a group). This is ultimately needed for accurately producing Windows-style behavior regarding permissions (where a group can be the owner of a file). Without knowing the details of the ACL module, the best path forward would be for you to figure out how to maintain windows-like behavior.