[Samba] Man page for idmap_rid

Michael Adam obnox at samba.org
Tue Aug 9 19:37:49 UTC 2016 

On 2016-08-09 at 16:29 -0300, francis picabia via samba wrote:
> On Tue, Aug 9, 2016 at 3:07 PM, Jeremy Allison via samba <
> samba at lists.samba.org> wrote:
> 
> > On Tue, Aug 09, 2016 at 07:50:12PM +0200, Michael Adam via samba wrote:
> > > On 2016-08-09 at 17:58 +0100, Rowland Penny via samba wrote:
> > > > On Tue, 9 Aug 2016 13:37:18 -0300
> > > > francis picabia <fpicabia at gmail.com> wrote:
> > > >
> > > >
> > > > >
> > > > > getent passwd username
> > > > >
> > > > > (or "theusername") is not the literal command.  I substitute
> > > > > 'username' here to protect the user id.
> > > > > genent passwd on the user does work and it returns uid and gui of
> > > > > 1000, exactly what we see in the /etc/passwd file.  It is the same
> > > > > output as grep 'username' on /etc/passwd
> > > > >
> > > > > Remember, when winbind is off, it works.  This is certainly bug 10604
> > > > > by all measures.
> > > >
> > > > And I think you have just posted your problem!
> > > >
> > > > Lets use 'fred' as one of your users, replace 'fred' with a real users
> > > > name
> > > >
> > > > Do you have a user called 'fred' in /etc/passwd *and* in AD ?
> > > >
> > > > If so, choose one and then delete the other, you cannot have them in
> > > > both.
> > >
> > > *Not* setting 'winbind use default domain = yes' will allow you
> > > to have them both. And they will be what they shoult be: two different
> > > users. With different unix IDs.
> >
> > But to clarify, they will then be user 'fred' and user 'DOMAIN\fred'.
> > Not the same name at all..
> > <https://lists.samba.org/mailman/options/samba>
> >
> 
> That's like saying a beer poured from a bottle into the glass is not the
> same beer.

No, these two are two different objects.
They (winbind use default domain just obfuscates that fact).

They are different users the same way as user from two
different AD domains with the same username are different
users. In that case you would not claim that they
are the same (DOM1\user and DOM2\user), because they
also have different sids.

Unix does not have worldwide unique user ids (alas!), but still a
user brought in from a AD is different from the local user.

So it's not cosmetic. It's fundamental.

Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20160809/6ae6f2e7/signature.sig>

More information about the samba mailing list