[Samba] samba users at boot, the same local and samba user bug has gone

[Andrey Repin]

Greetings, Rowland Penny via samba!

> Trying to think my way around this, it sounds like it is required for a
> domain user to run a local service, but this is hard because the service starts before winbind.

> The 'fix' is to have a user in /etc/passwd and another user (with the same
> name) in AD with the same Unix ID as the local user.

> Several problems with that, if the service is started before winbind, then
> it must be starting as the local user, because at that point the AD user
> will be unknown. Also, as far as the OS is concerned, the local user will be
> used over the AD user because it will be found first.

> It could be that what is really required is for an AD user to operate on
> Linux as if they were a local user ? If so, doesn't this sound familiar ? Administrator --> root
> Two different names, ID etc, but if set up correctly, Administrator becomes root on a Unix domain member.

> Now I do not know which user is required to be duplicated, but lets say it
> is www-data, then all that would be required is a user in AD called
> something like WebAdmin and this line added to the user.map:
> !www-data = SAMDOM\WebAdmin

> I haven't tested this, but it works for Administrator and there is nothing
> in 'man smb.conf' that says it will not work.

If you want a service to manage some local resource which is accessible by
domain users over the network, you want it to be run using something that can
be recognized as domain user, for consistency of cross-system operations.
But you have to keep in mind the caveats of this solution, and do not expect
full integration of such a user with your AD infrastructure (i.e. network
access would likely be limited).


-- 
With best regards,
Andrey Repin
Wednesday, May 17, 2023 15:39:57

Sorry for my terrible english...