On Tue, 2013-07-23 at 15:04 +0100, Jonathan Buzzard wrote: > On Tue, 2013-07-23 at 14:39 +0100, Rowland Penny wrote: > > Could this be yet another reason to use sssd instead of winbind? > > > > sssd does use the account gidNumber > > > > testuser > > > > primaryGroupID: 513 > > uidNumber: 3001106 > > gidNumber: 20513 > > > > getent passwd testuser > > testuser:*:3001106:20513:testuser:/home/DOMAIN/testuser:/bin/bash > > > > > > Not what I said. The primaryGroupID is an identifier for a group in AD, > bit like a SID is (I don't get that either). So primaryGroupID 513 might > refer to a group called sambausers, which has a it's own set of > RFC2307bis attributes which include a gidNumber. Winbind uses the > gidNumber of the primaryGroupID, not the primaryGroupID itself which is > something entirely different.
I'd put good money on this working as both group and primary group: getent group Domain\ Users Domain Users:*:20513: ldbsearch --url=/usr/local/samba/private/sam.ldb cn=Domain\ Users # record 1 dn: CN=Domain Users,CN=Users,DC=hh3,DC=site cn: Domain Users description: All domain users instanceType: 4 whenCreated: 20130605151145.0Z uSNCreated: 3541 name: Domain Users objectGUID: c684aa92-fd56-46d5-a4cf-8a46c459707b objectSid: S-1-5-21-451355595-2219208293-2714859210-513 sAMAccountName: Domain Users sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=hh3,DC=site isCriticalSystemObject: TRUE memberOf: CN=Users,CN=Builtin,DC=hh3,DC=site gidNumber: 20513 whenChanged: 20130605152357.0Z objectClass: top objectClass: posixGroup objectClass: group uSNChanged: 3792 distinguishedName: CN=Domain Users,CN=Users,DC=hh3,DC=site There are problems in setting primaryGroupID to groups other than Domain Users using S4 but as I understand it, the primary group will determine the default group of the file ownership when a user creates a file. He could be in many groups but files created by default will be of group of the primary group. > > As such your example does not show what you think it does show because > you have not shown the gidNumber of the group identified by > primaryGroupID 513. I would say even if sssd uses the gidNumber of the > user it would in my opinion be good practice to keep the gidNumber of > the user the same as the gidNumber of the Windows primary group. > > Sometimes my mind boggles at just how much people don't understand AD > and Samba in the Linux/Unix world. > > JAB. > > -- > Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk > Fife, United Kingdom. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba