[Freeipa-users] Alternatives to freeipa
Simo Sorce
simo at redhat.com
Fri Jul 8 13:02:11 UTC 2011
On Fri, 2011-07-08 at 14:50 +0200, Ondrej Valousek wrote:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=652609
Last comment, as this is totally OT.
Winbindd has been *designed* to use the users primary SID as the primary
GID, there are reasons as to why that's needed for CIFS*
You may argue you don't like the behavior, you can try to ask upstream
to change it (unlikely to happen but hey), but it is not broken.
It works as advertised (ie primary gidnumber is ignored on user entries,
please do not spread FUD.
Simo.
*For the same reason we ignore the old primary group Sid ldap attribute
on samba DCs with an ldap backend and instead force to use the primary
gid to determine the primary group sid.
The reason is that we cannot handle properly when admins mess up and put
a primary sid and a primary gid that do not translate into each other.
So the only reasonable thing to do in this case to avoid problems is to
just ignore the 'non-authoritative' setting on the backend being used.
On a Samba server with LDAP the authoritative id the gidNumber. On AD
(obviously) the authoritative one is the primary group Sid, so gidNumber
is ignored.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list