[Samba] Wither "uidNumber" and "gidNumber"? (was: Re: ldbedit: no matching records - cannot edit (newly-created user))
Rowland Penny
rowlandpenny241155 at gmail.com
Sun Sep 13 15:00:13 UTC 2015
On 13/09/15 15:37, Jim Seymour wrote:
> On Sun, 13 Sep 2015 15:30:38 +0100
> Rowland Penny <rowlandpenny241155 at gmail.com> wrote:
>
> [snip]
>> Is that my granny I see coming, I think I will show her how to suck
>> eggs :-D
> Hey! You're the one who wrote "...there is nothing, datawise, stored
> in PAM." :)
>
>>> Unless the user's credentials and other information are available
>>> via the Samba4 AD: Removing the user from the native Unix passwd
>>> (and related) files would render the user unable to log in under
>>> Unix.
>> Guess what the RFC2307 attributes are for, yes, you've got it, they
>> are used for the users Unix info stored in AD. I am typing this on
>> a laptop running Linux Mint 17, my login name is *not*
>> in /etc/passwd, but I can login and if I run 'getent passwd
>> rowland', I get this:
>>
>> rowland:*:10000:10000::/home/rowland:/bin/bash
>>
>> If I run: cat /etc/passwd | grep 'rowland'
>>
>> I get nothing
>>
>> So where is all that info coming from ?
> But, as I wrote when our posts the the list just crossed: Looks
> like the /etc/shadow password store must remain?
>
> Regards,
> Jim
Well yes, But it isn't used for anything stored in AD, only for local
use. AD uses an attribute called 'unicodePwd' to store passwords, this
is normally hidden, but if you want to see a password you have to
explicitly ask for it, this only works on the AD acting directly on
sam.ldb. To put it another way, all authentication is done via AD and in
most cases does not involve the sending of password over the wire,
kerberos handles it.
Rowland
More information about the samba
mailing list