Dear Mathieu,

> Why your UNIX groups don't match your Windows groups? This is usually
> the case, with nss_winbind.

My site is mainly Linux; we have secondary groups in the /etc/group
file. I am trying to move from Samba3 to the Debian Samba4, setting up
Samba as an AD DC (for Windows10). I have the libnss-winbind package.
Still, Samba (winbidd?) seems to create separate "Domain\user" entities,
and does seem to add those to the groups that the Linux user belongs to.

> Alternatively, you can reverse the logic with idmap_nss.

I tried that, did not seem to help.

>> (Seems to me that Samba4.9 suffers from the same issue.)
> Have you tried it? ...

I had tried to build Samba 4.9.1 the "Debian way", following the method
in the "experimental" packages, but failed on my "stretch" machine due
to some version incompatibility issues. (Did not try the "native way"
with configure/make, thought it would be best to follow Debian.)

> ... This part of the code has changed a lot.

The file source3/auth/auth_util.c did not change that much between
4.5.12 and 4.9.1, the "essence" of my patch still seems to apply
(though not the patch file I posted).

> Also please note that we don't accept patches that are not merged
> upstream first.
> Additionnaly, this patch target stable while it's not a security or
> stability patch.

Understood. I have been using my own Samba for years, can keep doing

Cheers, Paul
Paul Szabo
School of Mathematics and Statistics   University of Sydney    Australia

Reply via email to