[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
Rowland Penny
rowlandpenny241155 at gmail.com
Sun Sep 13 14:52:15 UTC 2015
On 13/09/15 15:31, Jim Seymour wrote:
> [Following-up to myself...]
>
> On Sun, 13 Sep 2015 09:52:35 -0400
> Jim Seymour <jseymour at LinxNet.com> wrote:
>
>> On Sun, 13 Sep 2015 08:57:19 +0100
>> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>>
> [snip]
>>> Now with AD, you *cannot* have a local user on a Unix machine that
>>> also exists in AD, the Unix tools just cannot cope with this, i.e.
>>> getent will not know which 'user' to show the info for, when
>>> setting permissions with chmod which user is the owner - the local
>>> one or the one in AD. You just create all the users in AD and
>>> forget /etc/passwd to a certain extent.
> [snip]
>> PAM isn't a data store. PAM stands for "Pluggable Authentication
>> Module". It is a mechanism whereby user identification and
>> authentication is abstracted from underlying data stores. E.g.:
>> passwd, NIS, LDAP, or, in this case, Samba4 AD, I suspect.
> I neglected to mention nsswitch.conf, the *nix name service switch.
> And, it turns out...
>
> $ cat /etc/nsswitch.conf
> ...
> passwd: compat winbind winbind winbind winbind
> group: compat winbind winbind winbind winbind
> shadow: compat
>
> (I'm going to guess winbind is in there four times, each, because of
> my install/de-install/re-installing and repeated attempts at
> provisioning. Won't hurt anything, but needs cleaning-up.)
Yes, winbind should only be there once on each line.
>
> So, for *nix logins: The /etc/shadow entry *must* remain. For the
> other stuff... Well, if the /etc/* files are kept in sync with the AD
> stuff: It will not matter. But it would probably be easier not to
> have to duplicate the same information in both AD and /etc/*
Yes, you only need /etc/passwd for the local system users and the
possible local users you may need i.e. an admin user etc
Don't worry, you wont have to duplicate the info in AD and /etc/*
because you *cannot*, you put everything in AD except for the local
system users & groups i.e. 'bind', www-data etc
Rowland
> Regards,
> Jim
More information about the samba
mailing list