Hay Jerry,

Gerald (Jerry) Carter schrieb:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andreas Ladanyi wrote:

Ok ! Could it be true this behavior is different between
"security=domain" and "security=ads" ?

Because we had to put the user to the group:
- first on windows side in ActiveFirectory
- second on unix site in AD in the tab "Members of"

so winbind 3.0.24 client recognise the group membership on unix side in "security=domain" mode.

Now we changed to Samba 3.0.31 with security=ads mode and the behavior is a bit different.

You lost me here.  Maybe due to the fact that I accustomed
to the Windows 2003 R2 Unix Attribute tab.  The only member
of tab I see is to control the Windows group memberships.


The reason of my message is a litte confusion:

In general you are right ;-)

There is one "UNIX attribute" tab and one "Members Of" tab.

During some tests we discover the following facts
=================================================

In "UNIX attribute" tab:
========================

winbind is only interested in the UID field ->
in ldap tree the attribute "uidnumber".

The other attributes from "UNIX attribute" tab are written to ldap tree, but not used by winbind on linux side.

For example we set the following parameter in smb.conf:

winbind nss info = sfu

Of course we could define our own template bash/home with the "template home" and "template shell" parameter, but its better the "sfu" will work, so we would configure this parameter by the tab.

The "primary Group" is written to the ldap tree but not used by winbind on the unix side.

In "Members Of" tab:
====================

In this tab you can choose a group from a list and there is a button you could set a Unix primary group by klicking. This will be read by winbind only. But this have no force to the primary group ID on the "UNIX attribute" tab.




What do you say ? Did we configure something wrong ? Is this the normal function ?

Thanks,
Andy










--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Reply via email to