[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Jim Seymour jseymour at LinxNet.com
Sun Sep 13 14:31:54 UTC 2015

[Following-up to myself...]

On Sun, 13 Sep 2015 09:52:35 -0400
Jim Seymour <jseymour at LinxNet.com> wrote:

> On Sun, 13 Sep 2015 08:57:19 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> > Now with AD, you *cannot* have a local user on a Unix machine that
> > also exists in AD, the Unix tools just cannot cope with this, i.e.
> > getent will not know which 'user' to show the info for, when
> > setting permissions with chmod which user is the owner - the local
> > one or the one in AD. You just create all the users in AD and
> > forget /etc/passwd to a certain extent.
> PAM isn't a data store.  PAM stands for "Pluggable Authentication
> Module".  It is a mechanism whereby user identification and
> authentication is abstracted from underlying data stores.  E.g.:
> passwd, NIS, LDAP, or, in this case, Samba4 AD, I suspect.

I neglected to mention nsswitch.conf, the *nix name service switch.
And, it turns out...

$ cat /etc/nsswitch.conf
passwd:         compat winbind winbind winbind winbind
group:          compat winbind winbind winbind winbind
shadow:         compat

(I'm going to guess winbind is in there four times, each, because of
my install/de-install/re-installing and repeated attempts at
provisioning.  Won't hurt anything, but needs cleaning-up.)

So, for *nix logins: The /etc/shadow entry *must* remain.  For the
other stuff... Well, if the /etc/* files are kept in sync with the AD
stuff: It will not matter.  But it would probably be easier not to
have to duplicate the same information in both AD and /etc/*

Note: My mail server employs *very* aggressive anti-spam
filtering.  If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.

More information about the samba mailing list