Web lists-archives.com

Re: [Samba] using Windows AD unwanted Group rights get applied to new Files




On 08/07/2018 08:38 AM, Rowland Penny via samba wrote:
On Tue, 7 Aug 2018 11:52:31 +0000
...


     idmap config *:backend = tdb
     idmap config *:range = 2000-9999
     idmap config VHH : backend = ad
     idmap config VHH : schema_mode = rfc2307
     idmap config VHH : unix_nss_info = yes
     idmap config VHH : unix_primary_group = yes
     idmap config VHH : range = 10000-999999

You would then need to give all your users a unique uidNumber attribute
containing a number inside the range you set in smb.conf, you would
also need to give the user a gidNumber attribute containing the
gidNumber of the required group to use instead of 'Domain Users'.

Rowland


Greetings, just making note for feature request that could help in the future. One of the reasons we decided to use SSSD instead of winbind on our domain members was the SSSD AD domain option:

  auto_private_groups = True

That synthesize private groups for all domain users. Winbind with the algorithmic mapping provided by the rid backend would have been sufficient if it had an option like this one. We did not wanted to give the Window domain admin too much power defining posix uid and gid attributes on the Linux servers.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba