On Wed, 2013-07-24 at 00:49 +0200, steve wrote: [SNIP]
> For the record, sssd pulls all it's info from AD. I never said otherwise. > A user does not need a gidNumber, it is drawn from the > primaryGroupID.For Linux clients it is vital that whatever the > primaryGroupID is contains the gidNumber attribute. sssd does the > rest. Hum, according to Rowland it uses the gidNumber in the users DN, though his posted "proof" was flawed and it could have been coming from the gidNumber of the users primary group just as Winbind does. I have browsed the source code for sssd but it is not immediately obvious where it is getting the info from. So which one does it really use? > I see that the classicupgrade retains the user gidNumber so > maybe we should keep it in the DN of not only the primaryGroup but > also in the DN for new users too. For compatibility? Like I said best practice is probably to keep them the same. The thing with RFC2307 is that it is for storing Unix attributes in LDAP and we are talking about storing Unix attributes in AD which is not quite the same thing. Ideally the gidNumber field in the users entry should be a derived field similar to the memberOf fields. JAB. -- Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk Fife, United Kingdom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba