Rowland Penny
2015-Nov-12 13:32 UTC
[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
On 12/11/15 13:05, mathias dufresne wrote:> > > > That's for that same reason I don't agree and think it is not fair to not > give Samba admins the choice. > If all my 120000 users have primary group id set to 100, as you said all > newly created object onUNIX shares will be owned by group n°100 and so > accessible to the whole company.This is the way windows works, you need to use windows ACLs to set just who has access etc.> I'm too thick to see where is the security improvement in that.It works for windows.> > > Let's imagine 2s that a company wants to manage these worlds a little > differently. If we are forced to use Windows primary group as UNIX primary > group it seems to me difficult to manage these worlds differently.If you are use a version of a windows product, you have to use it like a windows product. Windows ACLs give you broader scope to allow access. On Unix you have ugo, owner:group:others i.e. one owner:one group: the entire Unix world. On Windows it is: possibly allow every windows user: possibly every windows group, you can also deny access and you can inherit permissions.> > And I don't feel like I'm asking something really new or inventing > anything: Microsoft designed its own AD with something to store Windows > users primary group then some guys thought (fought certainly) together to > produce rfc2307 which, strangely, comes with its own primary group > attribute for UNIX world.RFC2307 was designed for ldap and then taken up by windows for SFU.> Refusing us the possibility to use that gidNumber attribute is, in my own > opinion, equal to say rfc2307 contains bad ideas, at least regarding this > attribute gidNumber. >No, it is just an artifact that you do not need, all you need to do is create a group in AD, give that group a gidNumber, add a user to the group and that user will have that group as one of its Unix groups. Rowland> That's exactly what I'm asking for months now and I deeply regret to not be > better in development, I would have tried to help more (I tried but these > tries just show me how much deep are my lacks of knowledge). And yes I'm > asking for options, to give us choice. I don't say the choices made until > now by Samba are wrong, I ask for options, for we can make different > choices. > > Best regards, > > mathias > >
mathias dufresne
2015-Nov-12 13:48 UTC
[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
2015-11-12 14:32 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 12/11/15 13:05, mathias dufresne wrote: > >> >> >> >> That's for that same reason I don't agree and think it is not fair to not >> give Samba admins the choice. >> If all my 120000 users have primary group id set to 100, as you said all >> newly created object onUNIX shares will be owned by group n°100 and so >> accessible to the whole company. >> > > This is the way windows works, you need to use windows ACLs to set just > who has access etc. > > I'm too thick to see where is the security improvement in that. >> > > It works for windows. > > >> >> Let's imagine 2s that a company wants to manage these worlds a little >> differently. If we are forced to use Windows primary group as UNIX primary >> group it seems to me difficult to manage these worlds differently. >> > > If you are use a version of a windows product, you have to use it like a > windows product. Windows ACLs give you broader scope to allow access. On > Unix you have ugo, owner:group:others i.e. one owner:one group: the entire > Unix world. On Windows it is: possibly allow every windows user: possibly > every windows group, you can also deny access and you can inherit > permissions. > > >> And I don't feel like I'm asking something really new or inventing >> anything: Microsoft designed its own AD with something to store Windows >> users primary group then some guys thought (fought certainly) together to >> produce rfc2307 which, strangely, comes with its own primary group >> attribute for UNIX world. >> > > RFC2307 was designed for ldap and then taken up by windows for SFU. > > Refusing us the possibility to use that gidNumber attribute is, in my own >> opinion, equal to say rfc2307 contains bad ideas, at least regarding this >> attribute gidNumber. >> >> > No, it is just an artifact that you do not need, all you need to do is > create a group in AD, give that group a gidNumber, add a user to the group > and that user will have that group as one of its Unix groups.Missed! Not by much, but still :) You speak to me as if you were teaching to a really-dumb-student beginning Linux system administration. Do you think I'm dumb or do you thin I begin playing sysadmin? One point you forgot here: the process you described is to give users secondary groups when we are speaking about primary group. You also forget in that process to specify I would need to force all my users to use "sg" command at login time for they switch one of their secondary group to the primary one. Because sometimes primary group in UNIX world is important.> > > Rowland > > That's exactly what I'm asking for months now and I deeply regret to not be >> better in development, I would have tried to help more (I tried but these >> tries just show me how much deep are my lacks of knowledge). And yes I'm >> asking for options, to give us choice. I don't say the choices made until >> now by Samba are wrong, I ask for options, for we can make different >> choices. >> >> Best regards, >> >> mathias >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2015-Nov-12 14:13 UTC
[Samba] [samba] How to configure Winbind to use uidNumber and gidNumber
On 12/11/15 13:48, mathias dufresne wrote:> 2015-11-12 14:32 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 12/11/15 13:05, mathias dufresne wrote: >> >>> >>> >>> That's for that same reason I don't agree and think it is not fair to not >>> give Samba admins the choice. >>> If all my 120000 users have primary group id set to 100, as you said all >>> newly created object onUNIX shares will be owned by group n°100 and so >>> accessible to the whole company. >>> >> This is the way windows works, you need to use windows ACLs to set just >> who has access etc. >> >> I'm too thick to see where is the security improvement in that. >> It works for windows. >> >> >>> Let's imagine 2s that a company wants to manage these worlds a little >>> differently. If we are forced to use Windows primary group as UNIX primary >>> group it seems to me difficult to manage these worlds differently. >>> >> If you are use a version of a windows product, you have to use it like a >> windows product. Windows ACLs give you broader scope to allow access. On >> Unix you have ugo, owner:group:others i.e. one owner:one group: the entire >> Unix world. On Windows it is: possibly allow every windows user: possibly >> every windows group, you can also deny access and you can inherit >> permissions. >> >> >>> And I don't feel like I'm asking something really new or inventing >>> anything: Microsoft designed its own AD with something to store Windows >>> users primary group then some guys thought (fought certainly) together to >>> produce rfc2307 which, strangely, comes with its own primary group >>> attribute for UNIX world. >>> >> RFC2307 was designed for ldap and then taken up by windows for SFU. >> >> Refusing us the possibility to use that gidNumber attribute is, in my own >>> opinion, equal to say rfc2307 contains bad ideas, at least regarding this >>> attribute gidNumber. >>> >>> >> No, it is just an artifact that you do not need, all you need to do is >> create a group in AD, give that group a gidNumber, add a user to the group >> and that user will have that group as one of its Unix groups. > > Missed! Not by much, but still :) > > You speak to me as if you were teaching to a really-dumb-student beginning > Linux system administration. Do you think I'm dumb or do you thin I begin > playing sysadmin?No, I think you are a Unix sysadmin lost in a windows AD world :-)> > One point you forgot here: the process you described is to give users > secondary groups when we are speaking about primary group.Yes, but in an AD world, there isn't really that much difference between a primary and a secondary group.> > You also forget in that process to specify I would need to force all my > users to use "sg" command at login time for they switch one of their > secondary group to the primary one. Because sometimes primary group in UNIX > world is important. >Yes, in a UNIX world, you need to think in a windows way instead. I give in, you go your way and I will go mine, there is very little chance we are going to agree on this. Rowland>> >>
Reasonably Related Threads
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber
- How to configure Winbind to use uidNumber and gidNumber