[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sun Sep 13 07:57:19 UTC 2015


On 13/09/15 00:45, Jim Seymour wrote:
> On Sat, 12 Sep 2015 21:51:54 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
>> On 12/09/15 21:30, Jim Seymour wrote:
>>> On Sat, 12 Sep 2015 13:13:11 -0600
>>> Nigel W <nigel.w at nosun.ca> wrote:
>>>
>>> [snip]
>>>> You create the users on the directory with the same uid and
>>>> uidNumber as the local users and then remove local users on the
>>>> systems.  Same applies to the groups.
>>> [snip]
>>>
>>> Why would I want to remove the local users and groups?  You mean
>>> from /etc/passwd, /etc/group, /etc/shadow, NIS or whatever?
>> You cannot have a local user and an AD user with the same name,
>> this also goes for groups. Apart from possibly a few admin users,
>> *all* your users & groups need to be in AD.
> It just occurred to me: He was referring to "local user" in the
> context of a (MS-Win) client machine, right?  Not "local user" as in
> user with *nix account on the server.

Previously with samba you could have (and probably needed to have) the 
user stored in /etc/passwd and where ever you stored the samba users 
(ldap etc)
Now with AD, you *cannot* have a local user on a Unix machine that also 
exists in AD, the Unix tools just cannot cope with this, i.e. getent 
will not know which 'user' to show the info for, when setting 
permissions with chmod which user is the owner - the local one or the 
one in AD. You just create all the users in AD and forget /etc/passwd to 
a certain extent.

>
>>> Or... did the Samba4 provisioning throw entries into PAM?  So now
>>> Samba4's ldap data replaces it?
>> Nothing in PAM, all in AD :-)
> $ cat /etc/pam.d/samba
> @include common-auth
> @include common-account
> @include common-session-noninteractive
>
> https://www.samba.org/samba/docs/man/manpages-3/pam_winbind.8.html
>
> Excerpt: "pam_winbind is a PAM module that can authenticate users
> against the local domain by talking to the Winbind daemon."
>
> Hmmm...
>
> Anyway, I think we may be getting off the (immediate) path.  (And
> perhaps talking about different things.)

Yes, I think you are, What I meant is that there is nothing, datawise, 
stored in PAM.

Rowland
> Regards,
> Jim




More information about the samba mailing list