Sorry, i come back to that:

> Not sure what you are getting at here, if you add a user to a group in
> AD, you not only get a record in the group object, you also get a
> record in the users object
> dn: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> .....
> member: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> dn: CN=Rowland Penny,CN=Users,DC=samdom,DC=example,DC=com
> .....
> memberOf: CN=Unixgroup,CN=Users,DC=samdom,DC=example,DC=com
> So you don't have to modify the user at all, again samba-tool can do
> things like this for you, see 'samba-tool group --help'

Because i've not clear how group management works in AD. I'm using
'Active Directory Users and Computers', so i think a pretty standard
tool. Some question.

a) i've not found 'member' in user object.

b) membership are accounted in groups via the 'member' field in group
 object. Membership are expressed as full user DN.

c) if, for the group object, i add some member in 'UNIX Attributes',
 they are not saved (eg, if i add some user and i do 'Apply' and then
'OK', if i came back to the group, UNIX attributes membership are

d) if, for a user, i set a primary group in 'Member of' (NOT UNIX
 attributes), user object get a 'primaryGroupID' data with the RID of
the group, and DESAPPEAR the relative data 'member' in the group. Argh!

So, seems to me that:

1) probably for my fault, some of the UNIX data (eg, group membership)
 does not work. I think also can be irrilevant, because winbind/sssd
get unix membership by other way (eg, ''windows'' mempership and not
UNIX/rfc2203 ones).

2) if i need to know what users belog to group 'X', i've to catch all
 DN listed in 'member' of that group, AND all users that have
as 'primaryGroupID' the RID of the group.

I'm again a bit confused... ;-(((

