[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
rowlandpenny241155 at gmail.com
Sun Sep 13 07:57:19 UTC 2015
On 13/09/15 00:45, Jim Seymour wrote:
> On Sat, 12 Sep 2015 21:51:54 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>> On 12/09/15 21:30, Jim Seymour wrote:
>>> On Sat, 12 Sep 2015 13:13:11 -0600
>>> Nigel W <nigel.w at nosun.ca> wrote:
>>>> You create the users on the directory with the same uid and
>>>> uidNumber as the local users and then remove local users on the
>>>> systems. Same applies to the groups.
>>> Why would I want to remove the local users and groups? You mean
>>> from /etc/passwd, /etc/group, /etc/shadow, NIS or whatever?
>> You cannot have a local user and an AD user with the same name,
>> this also goes for groups. Apart from possibly a few admin users,
>> *all* your users & groups need to be in AD.
> It just occurred to me: He was referring to "local user" in the
> context of a (MS-Win) client machine, right? Not "local user" as in
> user with *nix account on the server.
Previously with samba you could have (and probably needed to have) the
user stored in /etc/passwd and where ever you stored the samba users
Now with AD, you *cannot* have a local user on a Unix machine that also
exists in AD, the Unix tools just cannot cope with this, i.e. getent
will not know which 'user' to show the info for, when setting
permissions with chmod which user is the owner - the local one or the
one in AD. You just create all the users in AD and forget /etc/passwd to
a certain extent.
>>> Or... did the Samba4 provisioning throw entries into PAM? So now
>>> Samba4's ldap data replaces it?
>> Nothing in PAM, all in AD :-)
> $ cat /etc/pam.d/samba
> @include common-auth
> @include common-account
> @include common-session-noninteractive
> Excerpt: "pam_winbind is a PAM module that can authenticate users
> against the local domain by talking to the Winbind daemon."
> Anyway, I think we may be getting off the (immediate) path. (And
> perhaps talking about different things.)
Yes, I think you are, What I meant is that there is nothing, datawise,
stored in PAM.
More information about the samba