[Samba] Man page for idmap_rid
francis picabia
fpicabia at gmail.com
Tue Aug 9 18:08:43 UTC 2016
On Tue, Aug 9, 2016 at 2:59 PM, Michael Adam <obnox at samba.org> wrote:
> On 2016-08-09 at 14:49 -0300, francis picabia via samba wrote:
> > On Tue, Aug 9, 2016 at 1:58 PM, Rowland Penny via samba <
> > samba at lists.samba.org> wrote:
> >
> > > On Tue, 9 Aug 2016 13:37:18 -0300
> > > francis picabia <fpicabia at gmail.com> wrote:
> > >
> > >
> > > >
> > > > getent passwd username
> > > >
> > > > (or "theusername") is not the literal command. I substitute
> > > > 'username' here to protect the user id.
> > > > genent passwd on the user does work and it returns uid and gui of
> > > > 1000, exactly what we see in the /etc/passwd file. It is the same
> > > > output as grep 'username' on /etc/passwd
> > > >
> > > > Remember, when winbind is off, it works. This is certainly bug 10604
> > > > by all measures.
> > >
> > > And I think you have just posted your problem!
> > >
> > > Lets use 'fred' as one of your users, replace 'fred' with a real users
> > > name
> > >
> > > Do you have a user called 'fred' in /etc/passwd *and* in AD ?
> > >
> > > If so, choose one and then delete the other, you cannot have them in
> > > both.
> > >
> >
> > I don't think you've done this before. Have you used security = ads?
> >
> > I have dozens of servers and hundreds of users running just fine
> > with this. Having the same user defined in both Linux and AD,
> > and mapping it for authentication is the whole point.
>
> No, this completely misses the point of winbind and security =
> ads: Winbind removes the need to maintain local users on each
> server. Instead you plug winbind into nsswitch and tell it to
> use the same id mapping scheme on all servers, and hence you
> have perfectly valid, same-looking unix users on all the servers
> without ever touching the passwd and group files...
>
> Cheers - Michael
>
In my systems [homes] is something they use on the Linux system where
they have access via ssh or mapping the network drive. It isn't a new
thing.
I've used it for over a decade without major problems. When winbind is
left out of
nsswitch.conf, we can control that only users with an account on the
specific
box can access it.
More information about the samba
mailing list