Re: [Samba] User management scripts in AD mode...

Mandi! Rowland Penny via samba
  In chel di` si favelave...

> > I'm again a bit confused... ;-(((
> Yes I can see that ;-)


Sorry for the late answer, but i was busy on other things...

> Hope this helps, but feel free to ask any questions.

I try to summarize:

a) as i supposed 'RFC2307 group membership' are totally ignored by
 samba, so i can use RFC2307 schema to associate UID to users and GID
to group, but the relation between UID and GID (eg, membership) in UNIX
are directly derivated by Windows membership only. Good.

b) changing ''primary'' windows group from 'Domain Users' to other
 group are supported only by samba 4.6.0 and newer.

c) (Windows) membership are expressed using 'member' in group object
 (full DN of the users) but also using 'primaryGroupID' in user object
(RID of the group; for b) above, primaryGroupID is ever '513').

d) in (Windows) membership, if a user have a primary group, the group
 does not have the relative full user DN in 'member'; again for b) above,
group 'Doamin Users' have no 'member' because all users have

If i'm right, i'have two question:

1) a) work also for nested group, right? eg, if i've nested group, the
 windows<-UNIX mapping of memberships simply ''flatten'' the windows
membership in UNIX UID?

2) Supposing i'm using samba >= 4.6, to make a LDAP query that return
 all the memberships correctly i need to look for 'member' in groups
and 'primaryGroupID' in users; there's just an LDAP query about that?
Eg, a query that, given a group name/DN, return all users (as DN or
UID) that belong to that group?


