> On 9 Dec 2016, at 17:54, Brian Candler via samba <samba at
lists.samba.org> wrote:
>
> On 08/12/2016 13:44, Oliver Heinz wrote:
>> So I gave Domain Users 99999 and voilà:
>>
>> root at m1:~# wbinfo -i SAMDOM\\demo01
>> SAMDOM\demo01:*:10000:99999:demo01:/home/demo01:/bin/bash
>>
>> Seems samba always uses the primaryGroupID which for demo01 is set to
'Domain Users'. Im just wondering a bit then why there is a gidNumber as
an user attribute, as it is not used in the posix context.
>
> I asked the same question recently:
>
> https://lists.samba.org/archive/samba/2016-November/204786.html
> https://lists.samba.org/archive/samba/2016-November/204810.html
>
> The answer is that Samba's own winbind doesn't use the user's
gidNumber, but other consumers of Active Directory may - including RedHat's
sssd-ad.
>
> => In the case of winbind, the user entry's gidNumber is ignored.
The user's gid is taken from the user's primary Windows group (which
*must* have a gidNumber, otherwise the user is entirely ignored by winbind)
>
> => In the case of sssd-ad, the user entry must have a uidNumber and
gidNumber, and that's all. There doesn't even have to be any group with
a corresponding gidNumber. The Windows primary group is ignored.
And note this newly highlighted section of the wiki, which deals with the UNIX
admin’s potential desire to “fix” this problem that users' primary group is
“wrong”.
https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites
Kevin Davidson
Apple Certified System Administrator
Technical Director
t 01506 668674
m 07813 149620
w www.indigospring.co.uk
indigospring (Scotland) Ltd
Registered in Scotland No. SC398572
Registered office: 103 Oldwood Place, Livingston EH54 6US
Follow us on Twitter - twitter.com/indigospringIT
<http://twitter.com/indigospringIT>
Members of the Apple Consultants Network - consultants.apple.com/uk
<http://consultants.apple.com/uk>
http://www.indigospring.co.uk/terms-and-conditions