[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))

Rowland Penny rowlandpenny241155 at gmail.com
Sun Sep 13 15:00:13 UTC 2015

On 13/09/15 15:37, Jim Seymour wrote:
> On Sun, 13 Sep 2015 15:30:38 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
> [snip]
>> Is that my granny I see coming, I think I will show her how to suck
>> eggs :-D
> Hey!  You're the one who wrote "...there is nothing, datawise, stored
> in PAM." :)
>>> Unless the user's credentials and other information are available
>>> via the Samba4 AD: Removing the user from the native Unix passwd
>>> (and related) files would render the user unable to log in under
>>> Unix.
>> Guess what the RFC2307 attributes are for, yes, you've got it, they
>> are used for the users Unix info stored in AD. I am typing this on
>> a laptop running Linux Mint 17, my login name is *not*
>> in /etc/passwd, but I can login and if I run 'getent passwd
>> rowland', I get this:
>> rowland:*:10000:10000::/home/rowland:/bin/bash
>> If I run: cat /etc/passwd | grep 'rowland'
>> I get nothing
>> So where is all that info coming from ?
> But, as I wrote when our posts the the list just crossed: Looks
> like the /etc/shadow password store must remain?
> Regards,
> Jim

Well yes, But it isn't used for anything stored in AD, only for local 
use. AD uses an attribute called 'unicodePwd' to store passwords, this 
is normally hidden, but if you want to see a password you have to 
explicitly ask for it, this only works on the AD acting directly on 
sam.ldb. To put it another way, all authentication is done via AD and in 
most cases does not involve the sending of password over the wire, 
kerberos handles it.


More information about the samba mailing list