Kaustubh Chaudhari wrote:
Hi all,
When i create a group in AD and adds users in the same than with
#getent group i can see the group and its members properly.
But if i add a user to BUILTIN say BUILTIN Guests group than i dont
see
its members.
==
kktest:x:10026:kk,Administrator
BUILTIN+Guests:x:10019:
==
Here i have added kk user to both kktest and BUILTIN+Guests group.
But i
cant see kk associated with BUILTIN Guests.
I know that BUILTIN groups have pre defined sid by microsoft, and its
mapping is done separately.(I found this in idmap.c)
Is this a normal behavior?
Would appreciate if someone can explain the reasons for this.
Regards,
Kaustubh.
In general you need to define an Organizational Unit (OU), then define
your groups and users inside that OU. It should then show up with Samba
winbind.
Some don'ts:
Don't rename anything.
Don't drag and drop anything from one OU to another OU.
Don't make a user in one OU a member of a group in another OU.
It is even not a good idea to delete anything.
If you need to fix a typing mistake, define a new record - don't try to
edit the mistake.
Make frequent backups of ADS.
Some dos:
Apply security policies to OUs, not to users.
Run ADS on VMware, so that you can take snapshots as backups.
The reason for the above cautions is that ADS (mostly) work using the
GUIDs, while Samba uses the text strings. So you don't want to get in a
situation where ADS re-use an old GUID and changes to text strings are
applied inconsistently, which confuses winbind, so changing any text
string after it has been defined can also screw things up.
'Hope that helps!
Herman
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
