On Sat, 10 Dec 2016 09:07:13 +0000 Kevin Davidson via samba <samba at lists.samba.org> wrote:> > And note this newly highlighted section of the wiki, which deals with > the UNIX admin’s potential desire to “fix” this problem that users' > primary group is “wrong”. > > https://wiki.samba.org/index.php/Idmap_config_ad#PrerequisitesCare to expand on what is 'wrong' with it ??? Rowland
> On 10 Dec 2016, at 09:23, Rowland Penny via samba <samba at lists.samba.org> wrote: > > On Sat, 10 Dec 2016 09:07:13 +0000 > Kevin Davidson via samba <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote: > >> >> And note this newly highlighted section of the wiki, which deals with >> the UNIX admin’s potential desire to “fix” this problem that users' >> primary group is “wrong”. >> >> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites <https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites> > > Care to expand on what is 'wrong' with it ???It’s not the Wiki that’s wrong. I was referring to this section from the earlier message:> > => In the case of winbind, the user entry's gidNumber is ignored. The user's gid is taken from the user's primary Windows group (which *must* have a gidNumber, otherwise the user is entirely ignored by winbind)This will become clear in testing with getent. No matter what group the admin has set as the primary group for a user it will stubbornly show up as Domain Users. To a typical UNIX admin’s eyes this behaviour is wrong and they may be tempted to “fix" this by removing users from Domain Users and putting them in a different Windows primary group to better match their own organisation’s org chart. Doing that is a very bad thing for Windows. In this case it sounds like sssd behaviour better matches the UNIX admin’s expectations, but there will always be compromises trying to merge together Windows and UNIX schemes. Maybe with Microsoft’s newfound love for Linux this will change in future... Kevin Davidson Apple Certified System Administrator Technical Director t 01506 668674 m 07813 149620 w www.indigospring.co.uk indigospring (Scotland) Ltd Registered in Scotland No. SC398572 Registered office: 103 Oldwood Place, Livingston EH54 6US Follow us on Twitter - twitter.com/indigospringIT <http://twitter.com/indigospringIT> Members of the Apple Consultants Network - consultants.apple.com/uk <http://consultants.apple.com/uk> http://www.indigospring.co.uk/terms-and-conditions
On Sat, 10 Dec 2016 09:44:44 +0000 Kevin Davidson via samba <samba at lists.samba.org> wrote:> > > On 10 Dec 2016, at 09:23, Rowland Penny via samba > > <samba at lists.samba.org> wrote: > > > > On Sat, 10 Dec 2016 09:07:13 +0000 > > Kevin Davidson via samba <samba at lists.samba.org > > <mailto:samba at lists.samba.org>> wrote: > > > >> > >> And note this newly highlighted section of the wiki, which deals > >> with the UNIX admin’s potential desire to “fix” this problem that > >> users' primary group is “wrong”. > >> > >> https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites > >> <https://wiki.samba.org/index.php/Idmap_config_ad#Prerequisites> > > > > Care to expand on what is 'wrong' with it ??? > > > It’s not the Wiki that’s wrong. I was referring to this section from > the earlier message: > > > > > => In the case of winbind, the user entry's gidNumber is ignored. > > The user's gid is taken from the user's primary Windows group > > (which *must* have a gidNumber, otherwise the user is entirely > > ignored by winbind) > > This will become clear in testing with getent. No matter what group > the admin has set as the primary group for a user it will stubbornly > show up as Domain Users. To a typical UNIX admin’s eyes this > behaviour is wrong and they may be tempted to “fix" this by removing > users from Domain Users and putting them in a different Windows > primary group to better match their own organisation’s org chart. > Doing that is a very bad thing for Windows.It is not so much the users 'primary group', it is the users 'Unix primary group'. From a Unix perspective, a user can also have a private user group, this is not allowed via AD. Any gidNumber added to a user in AD is ignored by winbind, it goes for the 'primaryGroupID' attribute and this is always set to '513' which is the Domain Users group. You can change this, but it is not simple and there is no need to do it and windows gets upset if you do.> > In this case it sounds like sssd behaviour better matches the UNIX > admin’s expectations, but there will always be compromises trying to > merge together Windows and UNIX schemes. Maybe with Microsoft’s > newfound love for Linux this will change in future...How sssd does things isn't anything to do with Samba and may not be the best way of doing things. As for microsoft, well I wouldn't hold my breath ;-) Rowland> >