[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
Jim Seymour
jseymour at LinxNet.com
Sun Sep 13 14:31:54 UTC 2015
[Following-up to myself...]
On Sun, 13 Sep 2015 09:52:35 -0400
Jim Seymour <jseymour at LinxNet.com> wrote:
> On Sun, 13 Sep 2015 08:57:19 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
[snip]
> > Now with AD, you *cannot* have a local user on a Unix machine that
> > also exists in AD, the Unix tools just cannot cope with this, i.e.
> > getent will not know which 'user' to show the info for, when
> > setting permissions with chmod which user is the owner - the local
> > one or the one in AD. You just create all the users in AD and
> > forget /etc/passwd to a certain extent.
[snip]
>
> PAM isn't a data store. PAM stands for "Pluggable Authentication
> Module". It is a mechanism whereby user identification and
> authentication is abstracted from underlying data stores. E.g.:
> passwd, NIS, LDAP, or, in this case, Samba4 AD, I suspect.
I neglected to mention nsswitch.conf, the *nix name service switch.
And, it turns out...
$ cat /etc/nsswitch.conf
...
passwd: compat winbind winbind winbind winbind
group: compat winbind winbind winbind winbind
shadow: compat
(I'm going to guess winbind is in there four times, each, because of
my install/de-install/re-installing and repeated attempts at
provisioning. Won't hurt anything, but needs cleaning-up.)
So, for *nix logins: The /etc/shadow entry *must* remain. For the
other stuff... Well, if the /etc/* files are kept in sync with the AD
stuff: It will not matter. But it would probably be easier not to
have to duplicate the same information in both AD and /etc/*
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.LinxNet.com/contact/scform.php>.
More information about the samba
mailing list