[Samba] wbinfo -i returns the same id for all users, authentication doesn't seem to go through winbind at all
Rowland Penny
rpenny at samba.org
Mon Feb 20 17:52:41 UTC 2017
On Mon, 20 Feb 2017 09:32:23 -0800
L A Walsh via samba <samba at lists.samba.org> wrote:
> Emmanuel Florac wrote:
> > id TESTAD\\testuser
> > returns "no such user" and
> >
> > getent passwd TESTAD\\testuser
> >
> > returns a "2" code.
> >
> ----
> On linux, to get 'domain\user' to resolve, I had to have
> those entries in my /etc/passwd (and /etc/group for groups).
If You upgrade to AD, you will not not need the users and groups
in /etc/passwd & /etc/group, in fact you would have to remove them.
>
> I.e. *w/o krb*, (in samba 3.x), I had entries like:
>
> linda:x:1001:201:xxx:/home/linda:/bin/bash
> and
> Domain\linda:x:1001:201:xxx:/home/linda:/bin/bash
>
> So if something ever looked up w/'Domain\linda' on my
> PDC, it would resolve to the same UID+GID as the
> entry w/o the domain (since, theoretically, on the PDC,
> users == 'Domain\\users').
I take it 'PDC' means an NT4-style PDC and using such low ID numbers is
going to come back and bite, if and when you upgrade to AD.
>
> I also had idmap config for the '*' range set the same as for
> the 'Domain\' range (where the PDC is in 'Domain') as well as
> for the BUILTIN range (the UID's I allocate for the 3 'domains'
> are designed not to clash).
That it is just wrong, or will be if you upgrade to AD.
>
> It's my intent that name 'x' & 'domain\x' would map to the same UID
> (and windows RID) -- which is what happens on samba3.x. Haven't
> upgraded yet, since, with it working for me, I have other issues that
> are more pressing.
I would suggest that you do not use the RID for the users uidNumber
if you upgrade to AD , it was only because it was easiest to use the
RID that it was used, with hind-sight, it was a very bad idea.
Rowland
More information about the samba
mailing list